Changeset 219193 in webkit


Ignore:
Timestamp:
Jul 6, 2017 2:57:45 AM (7 years ago)
Author:
svillar@igalia.com
Message:

[SVG] Leak in SVGAnimatedListPropertyTearOff
https://bugs.webkit.org/show_bug.cgi?id=172545

Reviewed by Said Abou-Hallawa.

SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
reference to SVGAnimatedProperty.

When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
is going to be added to. This effectively creates a reference cycle between the
SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.

We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.

  • svg/properties/SVGAnimatedListPropertyTearOff.h:
Location:
trunk
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r219191 r219193  
     12017-05-24  Sergio Villar Senin  <svillar@igalia.com>
     2
     3        [SVG] Leak in SVGAnimatedListPropertyTearOff
     4        https://bugs.webkit.org/show_bug.cgi?id=172545
     5
     6        Reviewed by Said Abou-Hallawa.
     7
     8        SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to
     9        SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a
     10        reference to SVGAnimatedProperty.
     11
     12        When SVGListProperty::getItemValuesAndWrappers() is called, it creates a
     13        SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a
     14        SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff
     15        is going to be added to. This effectively creates a reference cycle between the
     16        SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers.
     17
     18        We should detach those wrappers in propertyWillBeDeleted() in order to break the cycle.
     19
     20        * svg/properties/SVGAnimatedListPropertyTearOff.h:
     21
    1222017-07-05  Don Olmstead  <don.olmstead@sony.com>
    223

  • trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h

    r208863 r219193  
    7474        else if (&property == m_animVal)
    7575            m_animVal = nullptr;
     76        if (!m_baseVal && !m_animVal)
     77            detachListWrappers(m_values.size());
    7678    }
    7779
Note: See TracChangeset for help on using the changeset viewer.