Changeset 219334 in webkit


Ignore:
Timestamp:
Jul 11, 2017 9:30:43 AM (7 years ago)
Author:
svillar@igalia.com
Message:

[SVG] Leak in SVGAnimatedListPropertyTearOff
https://bugs.webkit.org/show_bug.cgi?id=172545

Source/WebCore:

Reviewed by Said Abou-Hallawa.

SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
reference to SVGAnimatedProperty.

When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
is going to be added to. This effectively creates a reference cycle between the
SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.

We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.

  • svg/properties/SVGAnimatedListPropertyTearOff.h:

LayoutTests:

Reviewed by Darin Adler.

  • svg/animations/animation-leak-list-property-instances-expected.txt: Added.
  • svg/animations/animation-leak-list-property-instances.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r219332 r219334  
     12017-07-11  Sergio Villar Senin  <svillar@igalia.com>
     2
     3        [SVG] Leak in SVGAnimatedListPropertyTearOff
     4        https://bugs.webkit.org/show_bug.cgi?id=172545
     5
     6        Reviewed by Darin Adler.
     7
     8        * svg/animations/animation-leak-list-property-instances-expected.txt: Added.
     9        * svg/animations/animation-leak-list-property-instances.html: Added.
     10
    1112017-07-11  Carlos Alberto Lopez Perez  <clopez@igalia.com>
    212
  • trunk/Source/WebCore/ChangeLog

    r219332 r219334  
     12017-05-24  Sergio Villar Senin  <svillar@igalia.com>
     2
     3        [SVG] Leak in SVGAnimatedListPropertyTearOff
     4        https://bugs.webkit.org/show_bug.cgi?id=172545
     5
     6        Reviewed by Said Abou-Hallawa.
     7
     8        SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
     9        SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
     10        reference to SVGAnimatedProperty.
     11
     12        When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
     13        SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
     14        SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
     15        is going to be added to. This effectively creates a reference cycle between the
     16        SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.
     17
     18        We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.
     19
     20        * svg/properties/SVGAnimatedListPropertyTearOff.h:
     21
    1222017-07-11  Carlos Alberto Lopez Perez  <clopez@igalia.com>
    223
  • trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h

    r219327 r219334  
    7474        else if (&property == m_animVal)
    7575            m_animVal = nullptr;
     76        if (!m_baseVal && !m_animVal)
     77            detachListWrappers(m_values.size());
    7678    }
    7779
Note: See TracChangeset for help on using the changeset viewer.