Clear SVGElementInstance's children immediately upon detachment
authorcommit-queue <commit-queue@webkit.org>
Thu, 14 Jul 2011 16:57:44 +0000 (16:57 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Mon, 18 Jul 2011 21:28:06 +0000 (18:28 -0300)
commit4cbf7a06f84f7fc8d6f0a030ae52c3473526fd95
treee5bdd63176eef331291d8bcb0eb55d2bbb7ac443
parent3a4bda7d7ead61f69d00b8c38b6870bb43e99210
Clear SVGElementInstance's children immediately upon detachment
https://bugs.webkit.org/show_bug.cgi?id=63739
<rdar://problem/9705708>

Patch by Tim Horton <timothy_horton@apple.com> on 2011-07-14
Reviewed by Nikolas Zimmermann.

In addition to clearing the instance's children in the destructor,
clear them when the instance is detached from its <use>. This way,
we won't attempt to use them after we're detached but before the
destructor has been called.

Source/WebCore:

Test: svg/custom/use-crash-using-children-before-destroy.svg

* svg/SVGElementInstance.cpp:
(WebCore::SVGElementInstance::~SVGElementInstance):
(WebCore::SVGElementInstance::clearChildren):
* svg/SVGElementInstance.h:
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::detachInstance):

LayoutTests:

* svg/custom/use-crash-using-children-before-destroy-expected.txt: Added.
* svg/custom/use-crash-using-children-before-destroy.svg: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@91005 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/custom/use-crash-using-children-before-destroy-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/use-crash-using-children-before-destroy.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGElementInstance.cpp
Source/WebCore/svg/SVGElementInstance.h
Source/WebCore/svg/SVGUseElement.cpp