Fix lifetime handling of SVGPropertyTearOffs
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 1 Mar 2014 16:26:15 +0000 (16:26 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 1 Mar 2014 16:26:15 +0000 (16:26 +0000)
<http://webkit.org/b/129211>
<rdar://problem/15696025>

Reviewed by Maciej Stachowiak.

Merged from Blink (patch by Ojan Vafai):
https://src.chromium.org/viewvc/blink?revision=157801&view=revision
http://crbug.com/288771

    -Replace SVGStaticPropertyWithParentTearOff with SVGMatrixTearOff
    since it's only used in that one place. This means we can get rid
    of the templatizing and the method pointer.
    -Change SVGPropertyTearOff to keep track of it's child tearoffs
    and call detachWrapper on its child tearoffs when it's destroyed
    or when it's wrapper is detached.
    -Have SVGPropertyTearOff hold WeakPtrs to the child tearoffs
    to avoid having a cycle.

Source/WebCore:

Test: svg/transforms/svg-matrix-tearoff-crash.html

* GNUmakefile.list.am:
* WebCore.vcxproj/WebCore.vcxproj:
* WebCore.vcxproj/WebCore.vcxproj.filters:
* WebCore.xcodeproj/project.pbxproj:
* bindings/scripts/CodeGeneratorJS.pm:
(NativeToJSValue):
* svg/properties/SVGMatrixTearOff.h: Renamed from Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h.
(WebCore::SVGMatrixTearOff::create):
(WebCore::SVGMatrixTearOff::commitChange):
(WebCore::SVGMatrixTearOff::SVGMatrixTearOff):
* svg/properties/SVGPropertyTearOff.h:
(WebCore::SVGPropertyTearOff::addChild):
(WebCore::SVGPropertyTearOff::detachChildren):

LayoutTests:

* svg/transforms/svg-matrix-tearoff-crash-expected.txt: Added.
* svg/transforms/svg-matrix-tearoff-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@164917 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/transforms/svg-matrix-tearoff-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/transforms/svg-matrix-tearoff-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/GNUmakefile.list.am
Source/WebCore/WebCore.vcxproj/WebCore.vcxproj
Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters
Source/WebCore/WebCore.xcodeproj/project.pbxproj
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/svg/properties/SVGMatrixTearOff.h [moved from Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h with 52% similarity]
Source/WebCore/svg/properties/SVGPropertyTearOff.h

index 7a9f1280d17ba4fa6cf1993e178eba2b7d53d932..c6aa367ca772044dc4580eb7eb2e197ec2d6dbd5 100644 (file)
@@ -1,3 +1,27 @@
+2014-03-01  David Kilzer  <ddkilzer@apple.com>
+
+        Fix lifetime handling of SVGPropertyTearOffs
+        <http://webkit.org/b/129211>
+        <rdar://problem/15696025>
+
+        Reviewed by Maciej Stachowiak.
+
+        Merged from Blink (patch by Ojan Vafai):
+        https://src.chromium.org/viewvc/blink?revision=157801&view=revision
+        http://crbug.com/288771
+
+            -Replace SVGStaticPropertyWithParentTearOff with SVGMatrixTearOff
+            since it's only used in that one place. This means we can get rid
+            of the templatizing and the method pointer.
+            -Change SVGPropertyTearOff to keep track of it's child tearoffs
+            and call detachWrapper on its child tearoffs when it's destroyed
+            or when it's wrapper is detached.
+            -Have SVGPropertyTearOff hold WeakPtrs to the child tearoffs
+            to avoid having a cycle.
+
+        * svg/transforms/svg-matrix-tearoff-crash-expected.txt: Added.
+        * svg/transforms/svg-matrix-tearoff-crash.html: Added.
+
 2014-02-28  Benjamin Poulain  <benjamin@webkit.org>
 
         Caller saved registers can be accidentally discarded when clearing the local stack
diff --git a/LayoutTests/svg/transforms/svg-matrix-tearoff-crash-expected.txt b/LayoutTests/svg/transforms/svg-matrix-tearoff-crash-expected.txt
new file mode 100644 (file)
index 0000000..51c2cd1
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it doesn't crash under ASAN. 
diff --git a/LayoutTests/svg/transforms/svg-matrix-tearoff-crash.html b/LayoutTests/svg/transforms/svg-matrix-tearoff-crash.html
new file mode 100644 (file)
index 0000000..9326700
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function eventhandler1() {
+    var transformList = document.createElementNS("http://www.w3.org/2000/svg", "radialGradient").gradientTransform.baseVal;
+    var transform = document.querySelector("svg").createSVGTransform();
+    transformList.appendItem(transform);
+    var matrix = transform.matrix;
+    transformList.initialize(transform);
+    matrix.flipX();
+}
+</script>
+This test passes if it doesn't crash under ASAN.
+<svg onload="eventhandler1()">
index 5d4ab53c229cbd2d132e0c885ee3c8cddd20d913..34e7c7f4b8bb9aa7638b03a6468e3a6af1ee9812 100644 (file)
@@ -1,3 +1,40 @@
+2014-03-01  David Kilzer  <ddkilzer@apple.com>
+
+        Fix lifetime handling of SVGPropertyTearOffs
+        <http://webkit.org/b/129211>
+        <rdar://problem/15696025>
+
+        Reviewed by Maciej Stachowiak.
+
+        Merged from Blink (patch by Ojan Vafai):
+        https://src.chromium.org/viewvc/blink?revision=157801&view=revision
+        http://crbug.com/288771
+
+            -Replace SVGStaticPropertyWithParentTearOff with SVGMatrixTearOff
+            since it's only used in that one place. This means we can get rid
+            of the templatizing and the method pointer.
+            -Change SVGPropertyTearOff to keep track of it's child tearoffs
+            and call detachWrapper on its child tearoffs when it's destroyed
+            or when it's wrapper is detached.
+            -Have SVGPropertyTearOff hold WeakPtrs to the child tearoffs
+            to avoid having a cycle.
+
+        Test: svg/transforms/svg-matrix-tearoff-crash.html
+
+        * GNUmakefile.list.am:
+        * WebCore.vcxproj/WebCore.vcxproj:
+        * WebCore.vcxproj/WebCore.vcxproj.filters:
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (NativeToJSValue):
+        * svg/properties/SVGMatrixTearOff.h: Renamed from Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h.
+        (WebCore::SVGMatrixTearOff::create):
+        (WebCore::SVGMatrixTearOff::commitChange):
+        (WebCore::SVGMatrixTearOff::SVGMatrixTearOff):
+        * svg/properties/SVGPropertyTearOff.h:
+        (WebCore::SVGPropertyTearOff::addChild):
+        (WebCore::SVGPropertyTearOff::detachChildren):
+
 2014-03-01  Zan Dobersek  <zdobersek@igalia.com>
 
         Unreviewed build fix after r164913.
index 399ea010de0462e680c551ff6482d425e109249a..72c545909c5efd17da52cf6f081ce04cf318e038 100644 (file)
@@ -4920,6 +4920,7 @@ webcore_svg_sources += \
        Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h \
        Source/WebCore/svg/properties/SVGListProperty.h \
        Source/WebCore/svg/properties/SVGListPropertyTearOff.h \
+       Source/WebCore/svg/properties/SVGMatrixTearOff.h \
        Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp \
        Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h \
        Source/WebCore/svg/properties/SVGProperty.h \
@@ -4929,7 +4930,6 @@ webcore_svg_sources += \
        Source/WebCore/svg/properties/SVGPropertyTraits.h \
        Source/WebCore/svg/properties/SVGStaticListPropertyTearOff.h \
        Source/WebCore/svg/properties/SVGStaticPropertyTearOff.h \
-       Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h \
        Source/WebCore/svg/properties/SVGTransformListPropertyTearOff.h \
        Source/WebCore/svg/RadialGradientAttributes.h \
        Source/WebCore/svg/SVGAElement.cpp \
index 93726963e01cdcb81fc1e69ba0d6002efd28bcc2..ddde83b91877bb45b0f622f39fb3413ea764c206 100644 (file)
     <ClInclude Include="..\svg\properties\SVGAttributeToPropertyMap.h" />
     <ClInclude Include="..\svg\properties\SVGListProperty.h" />
     <ClInclude Include="..\svg\properties\SVGListPropertyTearOff.h" />
+    <ClInclude Include="..\svg\properties\SVGMatrixTearOff.h" />
     <ClInclude Include="..\svg\properties\SVGPathSegListPropertyTearOff.h" />
     <ClInclude Include="..\svg\properties\SVGProperty.h" />
     <ClInclude Include="..\svg\properties\SVGPropertyInfo.h" />
     <ClInclude Include="..\svg\properties\SVGPropertyTraits.h" />
     <ClInclude Include="..\svg\properties\SVGStaticListPropertyTearOff.h" />
     <ClInclude Include="..\svg\properties\SVGStaticPropertyTearOff.h" />
-    <ClInclude Include="..\svg\properties\SVGStaticPropertyWithParentTearOff.h" />
     <ClInclude Include="..\svg\properties\SVGTransformListPropertyTearOff.h" />
     <ClInclude Include="..\ForwardingHeaders\runtime\ArgList.h" />
     <ClInclude Include="..\ForwardingHeaders\runtime\Identifier.h" />
index d37d19d6de9ab7bc36fe1bb68b64f64ac6be3f31..4ce06f83c77d2b5a112212996bd07bf715cc03b7 100644 (file)
     <ClInclude Include="..\svg\properties\SVGListPropertyTearOff.h">
       <Filter>rendering\svg\properties</Filter>
     </ClInclude>
+    <ClInclude Include="..\svg\properties\SVGMatrixTearOff.h">
+      <Filter>rendering\svg\properties</Filter>
+    </ClInclude>
     <ClInclude Include="..\svg\properties\SVGPathSegListPropertyTearOff.h">
       <Filter>rendering\svg\properties</Filter>
     </ClInclude>
     <ClInclude Include="..\svg\properties\SVGStaticPropertyTearOff.h">
       <Filter>rendering\svg\properties</Filter>
     </ClInclude>
-    <ClInclude Include="..\svg\properties\SVGStaticPropertyWithParentTearOff.h">
-      <Filter>rendering\svg\properties</Filter>
-    </ClInclude>
     <ClInclude Include="..\svg\properties\SVGTransformListPropertyTearOff.h">
       <Filter>rendering\svg\properties</Filter>
     </ClInclude>
index 91b145b1b0537156088297cb94519543eb50b08d..01743c9268374c8a4bcd03a6e4de376a8657260d 100644 (file)
                08C859C01274575400A5728D /* SVGAnimatedRect.h in Headers */ = {isa = PBXBuildFile; fileRef = 08C859BF1274575300A5728D /* SVGAnimatedRect.h */; settings = {ATTRIBUTES = (Private, ); }; };
                08C925190FCC7C4A00480DEC /* FilterEffect.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 08C925170FCC7C4A00480DEC /* FilterEffect.cpp */; };
                08C9251A0FCC7C4A00480DEC /* FilterEffect.h in Headers */ = {isa = PBXBuildFile; fileRef = 08C925180FCC7C4A00480DEC /* FilterEffect.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               08CA3D4412894A3800FFF260 /* SVGStaticPropertyWithParentTearOff.h in Headers */ = {isa = PBXBuildFile; fileRef = 08CA3D4312894A3800FFF260 /* SVGStaticPropertyWithParentTearOff.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               08CA3D4412894A3800FFF260 /* SVGMatrixTearOff.h in Headers */ = {isa = PBXBuildFile; fileRef = 08CA3D4312894A3800FFF260 /* SVGMatrixTearOff.h */; settings = {ATTRIBUTES = (Private, ); }; };
                08D46CE3127AD5FC0089694B /* SVGAnimatedEnumeration.h in Headers */ = {isa = PBXBuildFile; fileRef = 08D46CE2127AD5FC0089694B /* SVGAnimatedEnumeration.h */; settings = {ATTRIBUTES = (Private, ); }; };
                08E4FE460E2BD41400F4CAE0 /* JSSVGLengthCustom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 08E4FE450E2BD41400F4CAE0 /* JSSVGLengthCustom.cpp */; };
                08EDE19F12A50B8E00B95797 /* SVGRect.h in Headers */ = {isa = PBXBuildFile; fileRef = 08EDE19E12A50B8E00B95797 /* SVGRect.h */; };
                08C859BF1274575300A5728D /* SVGAnimatedRect.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SVGAnimatedRect.h; sourceTree = "<group>"; };
                08C925170FCC7C4A00480DEC /* FilterEffect.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FilterEffect.cpp; path = filters/FilterEffect.cpp; sourceTree = "<group>"; };
                08C925180FCC7C4A00480DEC /* FilterEffect.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FilterEffect.h; path = filters/FilterEffect.h; sourceTree = "<group>"; };
-               08CA3D4312894A3800FFF260 /* SVGStaticPropertyWithParentTearOff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SVGStaticPropertyWithParentTearOff.h; sourceTree = "<group>"; };
+               08CA3D4312894A3800FFF260 /* SVGMatrixTearOff.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SVGMatrixTearOff.h; sourceTree = "<group>"; };
                08D29440138669E40097C89B /* SVGTextRunRenderingContext.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SVGTextRunRenderingContext.cpp; sourceTree = "<group>"; };
                08D46CE2127AD5FC0089694B /* SVGAnimatedEnumeration.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SVGAnimatedEnumeration.h; sourceTree = "<group>"; };
                08E4FE450E2BD41400F4CAE0 /* JSSVGLengthCustom.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSVGLengthCustom.cpp; sourceTree = "<group>"; };
                                08FB3F8313BC754C0099FC18 /* SVGAttributeToPropertyMap.h */,
                                0810764312828556007C63BA /* SVGListProperty.h */,
                                088A0E00126EF1DB00978F7A /* SVGListPropertyTearOff.h */,
+                               08CA3D4312894A3800FFF260 /* SVGMatrixTearOff.h */,
                                08FF101F12950F5900F00276 /* SVGPathSegListPropertyTearOff.cpp */,
                                084A0828128D7867002DB1F1 /* SVGPathSegListPropertyTearOff.h */,
                                088A0E01126EF1DB00978F7A /* SVGProperty.h */,
                                088A0E03126EF1DB00978F7A /* SVGPropertyTraits.h */,
                                0880F70D1282B46D00948505 /* SVGStaticListPropertyTearOff.h */,
                                0813A4E91284132600992511 /* SVGStaticPropertyTearOff.h */,
-                               08CA3D4312894A3800FFF260 /* SVGStaticPropertyWithParentTearOff.h */,
                                08C7136D128956A3001B107E /* SVGTransformListPropertyTearOff.h */,
                        );
                        path = properties;
                                B2227A440D00BF220071B782 /* SVGMarkerElement.h in Headers */,
                                B2227A470D00BF220071B782 /* SVGMaskElement.h in Headers */,
                                0806E57A12893045007CED32 /* SVGMatrix.h in Headers */,
+                               08CA3D4412894A3800FFF260 /* SVGMatrixTearOff.h in Headers */,
                                B2227A4B0D00BF220071B782 /* SVGMetadataElement.h in Headers */,
                                B2A1F2B10CEF0ABF00442F6A /* SVGMissingGlyphElement.h in Headers */,
                                B2227A4E0D00BF220071B782 /* SVGMPathElement.h in Headers */,
                                E4AFD0100DAF335500F5F55C /* SVGSMILElement.h in Headers */,
                                0880F70E1282B46D00948505 /* SVGStaticListPropertyTearOff.h in Headers */,
                                0813A4EA1284132600992511 /* SVGStaticPropertyTearOff.h in Headers */,
-                               08CA3D4412894A3800FFF260 /* SVGStaticPropertyWithParentTearOff.h in Headers */,
                                B2227AA90D00BF220071B782 /* SVGStopElement.h in Headers */,
                                B2227AAC0D00BF220071B782 /* SVGStringList.h in Headers */,
                                B2227AB80D00BF220071B782 /* SVGStyleElement.h in Headers */,
index 5b9e92d3b04a977c7acf8950fd0696c736cec761..3caf6dc0361ed64e765ddf3376758b376c071bb9 100644 (file)
@@ -3860,10 +3860,9 @@ sub NativeToJSValue
 
             my $selfIsTearOffType = $codeGenerator->IsSVGTypeNeedingTearOff($interfaceName);
             if ($selfIsTearOffType) {
-                AddToImplIncludes("SVGStaticPropertyWithParentTearOff.h", $conditional);
-                $tearOffType =~ s/SVGPropertyTearOff</SVGStaticPropertyWithParentTearOff<$interfaceName, /;
-
-                $value = "${tearOffType}::create(castedThis->impl(), $value, $updateMethod)";
+                AddToImplIncludes("SVGMatrixTearOff.h", $conditional);
+                # FIXME: Blink: Don't create a new one everytime we access the matrix property. This means, e.g, === won't work.
+                $value = "SVGMatrixTearOff::create(castedThis->impl(), $value)";
             } else {
                 AddToImplIncludes("SVGStaticPropertyTearOff.h", $conditional);
                 $tearOffType =~ s/SVGPropertyTearOff</SVGStaticPropertyTearOff<$interfaceName, /;
similarity index 52%
rename from Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h
rename to Source/WebCore/svg/properties/SVGMatrixTearOff.h
index 2b2cbf6b31dc550f30a9189169fbc7261c7c5372..b5c584cc81794c8c1b03c5c1a31e746223258771 100644 (file)
  * Boston, MA 02110-1301, USA.
  */
 
-#ifndef SVGStaticPropertyWithParentTearOff_h
-#define SVGStaticPropertyWithParentTearOff_h
+#ifndef SVGMatrixTearOff_h
+#define SVGMatrixTearOff_h
 
 #include "SVGPropertyTearOff.h"
+#include "SVGTransform.h"
 
 namespace WebCore {
 
-#if COMPILER(MSVC)
-// UpdateMethod is 12 bytes. We have to pack to a size greater than or equal to that to avoid an
-// alignment warning (C4121). 16 is the next-largest size allowed for packing, so we use that.
-#pragma pack(push, 16)
-#endif
-template<typename ParentType, typename PropertyType>
-class SVGStaticPropertyWithParentTearOff : public SVGPropertyTearOff<PropertyType> {
+class SVGMatrixTearOff : public SVGPropertyTearOff<SVGMatrix> {
 public:
-    typedef SVGStaticPropertyWithParentTearOff<ParentType, PropertyType> Self;
-    typedef void (ParentType::*UpdateMethod)();
-
     // Used for non-animated POD types that are not associated with a SVGAnimatedProperty object, nor with a XML DOM attribute
     // and that contain a parent type that's exposed to the bindings via a SVGStaticPropertyTearOff object
     // (for example: SVGTransform::matrix).
-    static PassRefPtr<Self> create(SVGProperty& parent, PropertyType& value, UpdateMethod update)
+    static PassRefPtr<SVGMatrixTearOff> create(SVGPropertyTearOff<SVGTransform>& parent, SVGMatrix& value)
     {
-        return adoptRef(new Self(&parent, value, update));
+        RefPtr<SVGMatrixTearOff> result = adoptRef(new SVGMatrixTearOff(&parent, value));
+        parent.addChild(result->m_weakFactory.createWeakPtr());
+        return result.release();
     }
 
     virtual void commitChange()
     {
-        (static_cast<SVGPropertyTearOff<ParentType>*>(m_parent.get())->propertyReference().*m_update)();
+        m_parent->propertyReference().updateSVGMatrix();
         m_parent->commitChange();
     }
 
 private:
-    SVGStaticPropertyWithParentTearOff(SVGProperty* parent, PropertyType& value, UpdateMethod update)
-        : SVGPropertyTearOff<PropertyType>(0, UndefinedRole, value)
-        , m_update(update)
+    SVGMatrixTearOff(SVGPropertyTearOff<SVGTransform>* parent, SVGMatrix& value)
+        : SVGPropertyTearOff<SVGMatrix>(0, UndefinedRole, value)
         , m_parent(parent)
+        , m_weakFactory(this)
     {
     }
 
-    UpdateMethod m_update;
-    RefPtr<SVGProperty> m_parent;
+    RefPtr<SVGPropertyTearOff<SVGTransform>> m_parent;
+    WeakPtrFactory<SVGPropertyTearOffBase> m_weakFactory;
 };
-#if COMPILER(MSVC)
-#pragma pack(pop)
-#endif
 
 }
 
-#endif // SVGStaticPropertyWithParentTearOff_h
+#endif // SVGMatrixTearOff_h
index 13c0fa54970ddebadc16e6be078a1b1789121ce2..dafb2d6bef7f9c1ac004a3fec865fa2a6deaf8a3 100644 (file)
 #include "SVGAnimatedProperty.h"
 #include "SVGElement.h"
 #include "SVGProperty.h"
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
+class SVGPropertyTearOffBase : public SVGProperty {
+public:
+    virtual void detachWrapper() = 0;
+};
+
 template<typename PropertyType>
-class SVGPropertyTearOff : public SVGProperty {
+class SVGPropertyTearOff : public SVGPropertyTearOffBase {
 public:
     typedef SVGPropertyTearOff<PropertyType> Self;
 
@@ -71,11 +77,18 @@ public:
         return m_contextElement.get();
     }
 
-    void detachWrapper()
+    void addChild(WeakPtr<SVGPropertyTearOffBase> child)
+    {
+        m_childTearOffs.append(child);
+    }
+
+    virtual void detachWrapper() override
     {
         if (m_valueIsCopy)
             return;
 
+        detachChildren();
+
         // Switch from a live value, to a non-live value.
         // For example: <text x="50"/>
         // var item = text.x.baseVal.getItem(0);
@@ -132,10 +145,20 @@ protected:
             delete m_value;
     }
 
+    void detachChildren()
+    {
+        for (const auto& childTearOff : m_childTearOffs) {
+            if (childTearOff.get())
+                childTearOff.get()->detachWrapper();
+        }
+        m_childTearOffs.clear();
+    }
+
     RefPtr<SVGElement> m_contextElement;
     SVGAnimatedProperty* m_animatedProperty;
     SVGPropertyRole m_role;
     PropertyType* m_value;
+    Vector<WeakPtr<SVGPropertyTearOffBase>> m_childTearOffs;
     bool m_valueIsCopy : 1;
 };