From 97788259ef1a83757ab5e540fb78eb7672d31485 Mon Sep 17 00:00:00 2001
From: Cameron McCormack <cam@mcc.id.au>
Date: Mon, 13 Apr 2015 12:34:15 +1000
Subject: [PATCH] Bug 1153693 - Only call ReleaseRef on
 nsStyle{ClipPath,Filter} once when setting a new value. r=dbaron

---
 layout/style/crashtests/1153693-1.html  | 19 +++++++++++++++++++
 layout/style/crashtests/crashtests.list |  1 +
 layout/style/nsStyleStruct.cpp          |  8 ++++++--
 3 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 layout/style/crashtests/1153693-1.html

diff --git a/layout/style/crashtests/1153693-1.html b/layout/style/crashtests/1153693-1.html
new file mode 100644
index 00000000000..1d6947f25bd
--- /dev/null
+++ b/layout/style/crashtests/1153693-1.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<style>
+
+.a { clip-path: url(z); }
+#x { clip-path: inherit; }
+
+</style>
+</head>
+
+<body>
+    <div class="a">
+        <div class="a" id="x"></div>
+    </div>
+</body>
+
+</html>
diff --git a/layout/style/crashtests/crashtests.list b/layout/style/crashtests/crashtests.list
index 2794c039321..c775d0d3217 100644
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -112,5 +112,6 @@ load 1066089-1.html
 load 1074651-1.html
 pref(dom.webcomponents.enabled,true) load 1089463-1.html
 pref(layout.css.expensive-style-struct-assertions.enabled,true) load 1136010-1.html
+load 1153693-1.html
 load large_border_image_width.html
 load border-image-visited-link.html
diff --git a/layout/style/nsStyleStruct.cpp b/layout/style/nsStyleStruct.cpp
index d4503a06c99..afc3c2d716f 100644
--- a/layout/style/nsStyleStruct.cpp
+++ b/layout/style/nsStyleStruct.cpp
@@ -1068,8 +1068,6 @@ nsStyleClipPath::operator=(const nsStyleClipPath& aOther)
     return *this;
   }
 
-  ReleaseRef();
-
   if (aOther.mType == NS_STYLE_CLIP_PATH_URL) {
     SetURL(aOther.mURL);
   } else if (aOther.mType == NS_STYLE_CLIP_PATH_SHAPE) {
@@ -1077,6 +1075,7 @@ nsStyleClipPath::operator=(const nsStyleClipPath& aOther)
   } else if (aOther.mType == NS_STYLE_CLIP_PATH_BOX) {
     SetSizingBox(aOther.mSizingBox);
   } else {
+    ReleaseRef();
     mSizingBox = NS_STYLE_CLIP_SHAPE_SIZING_NOBOX;
     mType = NS_STYLE_CLIP_PATH_NONE;
   }
@@ -1187,7 +1186,11 @@ nsStyleFilter::operator=(const nsStyleFilter& aOther)
     SetDropShadow(aOther.mDropShadow);
   } else if (aOther.mType != NS_STYLE_FILTER_NONE) {
     SetFilterParameter(aOther.mFilterParameter, aOther.mType);
+  } else {
+    ReleaseRef();
+    mType = NS_STYLE_FILTER_NONE;
   }
+
   return *this;
 }
 
@@ -1220,6 +1223,7 @@ nsStyleFilter::ReleaseRef()
     NS_ASSERTION(mURL, "expected pointer");
     mURL->Release();
   }
+  mURL = nullptr;
 }
 
 void