haikuwebkit/LayoutTests/svg/animations/animation-leak-list-propert...

<!DOCTYPE html>
<script src="../../resources/js-test-pre.js"></script>
<script>
 description("This test checks that adding an animation to a SVG element does not leak the whole SVGDocument.")

 function addRect()
 {
     var elem = document.createElementNS("http://www.w3.org/2000/svg", "rect");
     elem.setAttribute("id", "rect");
     elem.setAttribute("x", 50);
     elem.setAttribute("y", 50);
     elem.setAttribute("width", 50);
     elem.setAttribute("height", 50);
     elem.setAttribute("fill", "blue");

     document.getElementById("rootSVG").appendChild(elem);
 }

 function applyTransform()
 {
     var svgroot = document.getElementById("rootSVG");
     var transformList = document.getElementById("rect").transform.baseVal;
     var rotate = svgroot.createSVGTransform();
     rotate.setRotate(15,0,0);
     transformList.appendItem(rotate);
 }

 function removeRect()
 {
     document.getElementById("rootSVG").removeChild(document.getElementById("rect"));
 }

 function test()
 {
     if (!window.internals || !window.GCController) {
         testFailed("This test requires internals and GCController");
         return;
     }

     testRunner.dumpAsText();

     // One gc() call is not enough and causes flakiness in some platforms.
     gc();
     gc();
     var originalLiveElements = internals.numberOfLiveNodes();

     addRect();
     applyTransform();
     removeRect();

     // One gc() call is not enough and causes flakiness in some platforms.
     gc();
     gc();
     var delta = internals.numberOfLiveNodes() - originalLiveElements;
     shouldBeZero(delta.toString());
     var successfullyParsed = true;
 }
</script>
<body onload="test()">
    <svg id="rootSVG" width="300" height="300" xmlns="http://www.w3.org/2000/svg" version="1.1"></svg>
</body>
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2017-08-29 09:32:34 +00:00			`<!DOCTYPE html>`
			`<script src="../../resources/js-test-pre.js"></script>`
			`<script>`
			`description("This test checks that adding an animation to a SVG element does not leak the whole SVGDocument.")`

			`function addRect()`
			`{`
			`var elem = document.createElementNS("http://www.w3.org/2000/svg", "rect");`
			`elem.setAttribute("id", "rect");`
			`elem.setAttribute("x", 50);`
			`elem.setAttribute("y", 50);`
			`elem.setAttribute("width", 50);`
			`elem.setAttribute("height", 50);`
			`elem.setAttribute("fill", "blue");`

			`document.getElementById("rootSVG").appendChild(elem);`
			`}`

			`function applyTransform()`
			`{`
			`var svgroot = document.getElementById("rootSVG");`
			`var transformList = document.getElementById("rect").transform.baseVal;`
			`var rotate = svgroot.createSVGTransform();`
			`rotate.setRotate(15,0,0);`
			`transformList.appendItem(rotate);`
			`}`

			`function removeRect()`
			`{`
			`document.getElementById("rootSVG").removeChild(document.getElementById("rect"));`
			`}`

			`function test()`
			`{`
			`if (!window.internals \|\| !window.GCController) {`
			`testFailed("This test requires internals and GCController");`
			`return;`
			`}`

			`testRunner.dumpAsText();`

			`// One gc() call is not enough and causes flakiness in some platforms.`
			`gc();`
			`gc();`
			`var originalLiveElements = internals.numberOfLiveNodes();`

			`addRect();`
			`applyTransform();`
			`removeRect();`

			`// One gc() call is not enough and causes flakiness in some platforms.`
			`gc();`
			`gc();`
			`var delta = internals.numberOfLiveNodes() - originalLiveElements;`
			`shouldBeZero(delta.toString());`
			`var successfullyParsed = true;`
			`}`
			`</script>`
			`<body onload="test()">`
			`<svg id="rootSVG" width="300" height="300" xmlns="http://www.w3.org/2000/svg" version="1.1"></svg>`
			`</body>`