Commit 8450dde3 authored by antti@apple.com's avatar antti@apple.com
Browse files

2008-04-17 Antti Koivisto <antti@apple.com>

        Reviewed by Oliver.
        
        Fix https://bugs.webkit.org/show_bug.cgi?id=18551
        Bug 18551: REGRESSION (r31801?): Crash in ContainerNode::removedFromDocument on many SVG tests under guard malloc
        
        Freeing a RefPtr that is the last ref to the parent from removedFromDocument() is a bad idea.

        Caching the target element is too dangerous, let's simply not do it. Getting it is very cheap anyway.

        * svg/animation/SVGSMILElement.cpp:
        (WebCore::SVGSMILElement::removedFromDocument):
        (WebCore::SVGSMILElement::attributeChanged):
        (WebCore::SVGSMILElement::targetElement):
        * svg/animation/SVGSMILElement.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@32039 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 6b532225
2008-04-17 Antti Koivisto <antti@apple.com>
Reviewed by Oliver.
Fix https://bugs.webkit.org/show_bug.cgi?id=18551
Bug 18551: REGRESSION (r31801?): Crash in ContainerNode::removedFromDocument on many SVG tests under guard malloc
Freeing a RefPtr that is the last ref to the parent from removedFromDocument() is a bad idea.
Caching the target element is too dangerous, let's simply not do it. Getting it is very cheap anyway.
* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::removedFromDocument):
(WebCore::SVGSMILElement::attributeChanged):
(WebCore::SVGSMILElement::targetElement):
* svg/animation/SVGSMILElement.h:
2008-04-17 Sam Weinig <sam@webkit.org>
 
Reviewed by Anders Carlsson.
......@@ -124,7 +124,6 @@ void SVGSMILElement::removedFromDocument()
// OK, but we don't want to die inside the call.
RefPtr<SVGSMILElement> keepAlive(this);
disconnectConditions();
m_targetElement = 0;
SVGElement::removedFromDocument();
}
......@@ -327,9 +326,7 @@ void SVGSMILElement::attributeChanged(Attribute* attr, bool preserveDecls)
SVGElement::attributeChanged(attr, preserveDecls);
const QualifiedName& attrName = attr->name();
if (attrName == XLinkNames::hrefAttr)
m_targetElement = 0;
else if (attrName == SVGNames::durAttr)
if (attrName == SVGNames::durAttr)
m_cachedDur = invalidCachedTime;
else if (attrName == SVGNames::repeatDurAttr)
m_cachedRepeatDur = invalidCachedTime;
......@@ -405,13 +402,11 @@ void SVGSMILElement::reschedule()
SVGElement* SVGSMILElement::targetElement() const
{
if (!m_targetElement) {
String href = xlinkHref();
Node *target = href.isEmpty() ? parentNode() : document()->getElementById(SVGURIReference::getTarget(href));
Node* target = href.isEmpty() ? parentNode() : document()->getElementById(SVGURIReference::getTarget(href));
if (target && target->isSVGElement())
m_targetElement = static_cast<SVGElement*>(target);
}
return m_targetElement.get();
return static_cast<SVGElement*>(target);
return 0;
}
SMILTime SVGSMILElement::elapsed() const
......
......@@ -164,7 +164,6 @@ private:
RefPtr<SMILTimeContainer> m_timeContainer;
mutable RefPtr<SVGElement> m_targetElement;
mutable SMILTime m_cachedDur;
mutable SMILTime m_cachedRepeatDur;
mutable SMILTime m_cachedRepeatCount;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment