Changeset 50958 in webkit
- Timestamp:
- Nov 13, 2009 11:56:43 AM (14 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r50956 r50958 1 2009-11-13 Vitaly Repeshko <vitalyr@chromium.org> 2 3 Reviewed by Dimitri Glazkov. 4 5 [V8] Protect SVG animated properties from destruction in bindings. 6 https://bugs.webkit.org/show_bug.cgi?id=31474 7 8 See http://crbug.com/26719. 9 10 Tested by LayoutTests/svg/custom/js-update-transform-addition.svg 11 under Valgrind. 12 13 Made sure we keep a reference to SVG properties while setting a 14 context: 15 * bindings/scripts/CodeGeneratorV8.pm: 16 * bindings/v8/V8Proxy.h: 17 (WebCore::V8Proxy::withSVGContext): 18 1 19 2009-11-13 Brent Fulgham <bfulgham@webkit.org> 2 20 -
trunk/WebCore/bindings/scripts/CodeGeneratorV8.pm
r50914 r50958 647 647 $resultObject = "wrapper"; 648 648 } 649 $resultObject = "WTF::getPtr(" . $resultObject . ")";650 push(@implContentDecls, GenerateSVGContextAssignment($implClassName, $resultObject, " "));649 push(@implContentDecls, GenerateSVGContextRetrieval($implClassName, " ")); 650 $result = "V8Proxy::withSVGContext($resultObject, context)"; 651 651 } 652 652 -
trunk/WebCore/bindings/v8/V8Proxy.h
r50897 r50958 178 178 static void setSVGContext(void*, SVGElement*); 179 179 static SVGElement* svgContext(void*); 180 181 // These helper functions are required in case we are given a PassRefPtr 182 // to a (possibly) newly created object and must prevent its reference 183 // count from dropping to zero as would happen in code like 184 // 185 // V8Proxy::setSVGContext(imp->getNewlyCreatedObject().get(), context); 186 // foo(imp->getNewlyCreatedObject().get()); 187 // 188 // In the above two lines each time getNewlyCreatedObject() is called it 189 // creates a new object because we don't ref() it. (So our attemts to 190 // associate a context with it fail.) Such code should be rewritten to 191 // 192 // foo(V8Proxy::withSVGContext(imp->getNewlyCreatedObject(), context).get()); 193 // 194 // where PassRefPtr::~PassRefPtr() is invoked only after foo() is 195 // called. 196 template <typename T> 197 static PassRefPtr<T> withSVGContext(PassRefPtr<T> object, SVGElement* context) 198 { 199 setSVGContext(object.get(), context); 200 return object; 201 } 202 static void* withSVGContext(void* object, SVGElement* context) 203 { 204 setSVGContext(object, context); 205 return object; 206 } 180 207 #endif 181 208
Note: See TracChangeset
for help on using the changeset viewer.