https://bugs.webkit.org/show_bug.cgi?id=121033

Patch by Darin Adler <darin@apple.com> on 2013-10-10
Reviewed by Dean Jackson.

For safe iteration, use a set rather than a vector, and remove the clients from
the set if they are removed during iteration.

Test: fast/animation/request-animation-frame-remove-client.html

* platform/graphics/DisplayRefreshMonitor.cpp:
(WebCore::DisplayRefreshMonitor::DisplayRefreshMonitor): Initialize the
m_clientsToBeNotified pointer to null.
(WebCore::DisplayRefreshMonitor::removeClient): If there is a m_clientsToBeNotified
set, remove from it as well as the real m_clients set.
(WebCore::DisplayRefreshMonitor::displayDidRefresh): Use a HashSet instead of a
vector for the copy of the clients set we iterate.

* platform/graphics/DisplayRefreshMonitor.h: Moved some of the BlackBerry-specific
part of this out of the header. Added a new HashSet pointer, m_clientsToBeNotified,
to be used to remove clients during the notification process. Also added a FIXME.

* platform/graphics/blackberry/DisplayRefreshMonitorBlackBerry.cpp: Moved the
DisplayAnimationClient class in here.

LayoutTests: Use after free in WebCore::DisplayRefreshMonitorClient::fireDisplayRefreshIfNeeded
http://webkit.org/b/121033

Update test to indicate it no longer crashes.

* TestExpectations: Mark test as passing.
* fast/animation/request-animation-frame-remove-client-expected.txt:
* fast/animation/request-animation-frame-remove-client.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157299 268f45cc-cd09-0410-ab3c-d52691b4dbfc