SVGPropertyTearOffs should detachChildren before deleting its value.

<http://webkit.org/b/129618>
<rdar://problem/15661617>

Reviewed by Maciej Stachowiak.

Merged from Blink (patch by kouhei@chromium.org):
https://src.chromium.org/viewvc/blink?revision=158563&view=revision
http://crbug.com/296276

Test: svg/transforms/svg-matrix-tearoff-crash.html

NOTE: The test does not reproduce a crash on WebKit using
JavaScriptCore.

* svg/properties/SVGPropertyTearOff.h:
(WebCore::SVGPropertyTearOff::setValue):
(WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
- Call detachChildren() if m_value is a copy.  The original
  Blink patch did not modify the destructor code path, although
  that seems obvious via code inspection.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165053 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 92430decc817574b85d86900a0f39cc393c4ad89..81318bab79f66845c2ce96983ec2650550c26bb0 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2014-03-03  David Kilzer  <ddkilzer@apple.com>
+
+        SVGPropertyTearOffs should detachChildren before deleting its value.
+        <http://webkit.org/b/129618>
+        <rdar://problem/15661617>
+
+        Reviewed by Maciej Stachowiak.
+
+        Merged from Blink (patch by kouhei@chromium.org):
+        https://src.chromium.org/viewvc/blink?revision=158563&view=revision
+        http://crbug.com/296276
+
+        Test: svg/transforms/svg-matrix-tearoff-crash.html
+
+        NOTE: The test does not reproduce a crash on WebKit using
+        JavaScriptCore.
+
+        * svg/properties/SVGPropertyTearOff.h:
+        (WebCore::SVGPropertyTearOff::setValue):
+        (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff):
+        - Call detachChildren() if m_value is a copy.  The original
+          Blink patch did not modify the destructor code path, although
+          that seems obvious via code inspection.
+
 2014-03-04  Zalan Bujtas  <zalan@apple.com>
 
         Subpixel rendering: Incorrect repaint rect cuts off content's right edge after move.

diff --git a/Source/WebCore/svg/properties/SVGPropertyTearOff.h b/Source/WebCore/svg/properties/SVGPropertyTearOff.h
index dafb2d6bef7f9c1ac004a3fec865fa2a6deaf8a3..644ec74eedd36c421b92b20915677bc03f21620e 100644 (file)
--- a/Source/WebCore/svg/properties/SVGPropertyTearOff.h
+++ b/Source/WebCore/svg/properties/SVGPropertyTearOff.h
@@ -56,8 +56,10 @@ public:
 
     void setValue(PropertyType& value)
     {
-        if (m_valueIsCopy)
+        if (m_valueIsCopy) {
+            detachChildren();
             delete m_value;
+        }
         m_valueIsCopy = false;
         m_value = &value;
     }
@@ -141,8 +143,10 @@ protected:
 
     virtual ~SVGPropertyTearOff()
     {
-        if (m_valueIsCopy)
+        if (m_valueIsCopy) {
+            detachChildren();
             delete m_value;
+        }
     }
 
     void detachChildren()