haikuwebkit/LayoutTests/svg/dom/SVGAnimatedListPropertyTear...

<!DOCTYPE html>
<script src="../../resources/js-test-pre.js"></script>
<script>
    description("This tests SVGAnimatedListPropertyTearOff don't crash if modified after contextElement goes out of scope.");

    var text = document.createElementNS("http://www.w3.org/2000/svg","text");
    var baseVal = text.dx.baseVal;
    text = null;
    gc();

    var svgLength = document.createElementNS("http://www.w3.org/2000/svg","svg").createSVGLength();
    baseVal.appendItem(svgLength);
    gc();

    debug("This test passes if we don't crash.");
</script>
<script src="../../resources/js-test-post.js"></script>
[SVG] Leak in SVGAnimatedListPropertyTearOff https://bugs.webkit.org/show_bug.cgi?id=172545 Reviewed by Darin Adler. Source/WebCore: SVGAnimatedListPropertyTearOff maintains a vector m_wrappers with references to SVGPropertyTraits<PropertyType>::ListItemTearOff. Apart from that SVGPropertyTearOff has a reference to SVGAnimatedProperty. When SVGListProperty::getItemValuesAndWrappers() is called, it creates a SVGPropertyTraits<PropertyType>::ListItemTearOff pointing to the same SVGAnimatedProperty (a SVGAnimatedListPropertyTearOff) which stores the m_wrappers vector where the ListItemTearOff is going to be added to. This effectively creates a reference cycle between the SVGAnimatedListPropertyTearOff and all the ListItemTearOff it stores in m_wrappers. In order to effectively break the cycle without freeing too many wrappers we should take two measures: 1) Break the reference cycle by storing raw pointers in the m_wrappers Vector 2) Remove the ListItemTearOff which is being deleted (it notifies the animated property by calling propertyWillBeDeleted) from the m_wrappers Vector. This is a re-land of r219334 which caused early releases of custom data attribute objects added to SVG elements (wkb.ug/175023). Tests: svg/animations/animation-leak-list-property-instances.html svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html svg/dom/SVGAnimatedListPropertyTearOff-crash.html svg/dom/SVGAnimatedListPropertyTearOff-leak.html * svg/properties/SVGAnimatedListPropertyTearOff.h: * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::getItemValuesAndWrappers): * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::removeItemFromList): LayoutTests: The list of new added tests includes the one for the original bug, a new test for the regression and a couple of tests imported from Blink which verify that SVGAnimatedListPropertyTearOff does not crash after the context element goes out of scope. * svg/animations/animation-leak-list-property-instances-expected.txt: Added. * svg/animations/animation-leak-list-property-instances.html: Added. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-2.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash-expected.txt: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-crash.html: Added. Imported from Blink. * svg/dom/SVGAnimatedListPropertyTearOff-leak-expected.txt: Added. * svg/dom/SVGAnimatedListPropertyTearOff-leak.html: Added. Canonical link: https://commits.webkit.org/192721@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221292 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2017-08-29 09:32:34 +00:00			`<!DOCTYPE html>`
			`<script src="../../resources/js-test-pre.js"></script>`
			`<script>`
			`description("This tests SVGAnimatedListPropertyTearOff don't crash if modified after contextElement goes out of scope.");`

			`var text = document.createElementNS("http://www.w3.org/2000/svg","text");`
			`var baseVal = text.dx.baseVal;`
			`text = null;`
			`gc();`

			`var svgLength = document.createElementNS("http://www.w3.org/2000/svg","svg").createSVGLength();`
			`baseVal.appendItem(svgLength);`
			`gc();`

			`debug("This test passes if we don't crash.");`
			`</script>`
			`<script src="../../resources/js-test-post.js"></script>`