Changeset 196268 in webkit

Timestamp:

Feb 8, 2016 12:54:05 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

REGRESSION(r181345): SVG polyline and polygon leak page
​https://bugs.webkit.org/show_bug.cgi?id=152759

Patch by Said Abou-Hallawa <​sabouhallawa@apple.com> on 2016-02-08
Reviewed by Darin Adler.

Source/WebCore:

The leak happens because of cyclic reference between SVGListPropertyTearOff
and SVGAnimatedListPropertyTearOff which is derived from SVGAnimatedProperty.
There is also cyclic reference between SVGAnimatedProperty and SVGElement
and this causes the whole document to be leaked. So if the JS requests, for
example, an instance of SVGPolylineElement.points, the whole document will be
leaked.

The fix depends on having the cyclic reference as is since the owning and the
owned classes have to live together if any of them is referenced. But the owning
class caches a raw 'ref-counted' pointer of the owned class. If it is requested
for an instance of the owned class it returned a RefPtr<> of it. Once the owned
class is not used, it can delete itself. The only thing needed here is to notify
the owner class of the deletion so it cleans its caches and be able to create a
new pointer if it is requested for an instance of the owned class later.

Revert the change of r181345 in SVGAnimatedProperty::lookupOrCreateWrapper()
to break the cyclic reference between SVGElement and SVGAnimatedProperty.

Also apply the same approach in SVGAnimatedListPropertyTearOff::baseVal() and
animVal() to break cyclic reference between SVGListPropertyTearOff and
SVGAnimatedListPropertyTearOff.

Test: svg/animations/smil-leak-list-property-instances.svg

• bindings/scripts/CodeGeneratorJS.pm:

(NativeToJSValue): The SVG non-string list tear-off properties became of
type RefPtr<>. So we need to use get() with the casting expressions.

• svg/SVGMarkerElement.cpp:

(WebCore::SVGMarkerElement::orientType):
Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper().

• svg/SVGPathElement.cpp:

(WebCore::SVGPathElement::pathByteStream):
(WebCore::SVGPathElement::lookupOrCreateDWrapper):
Since SVGAnimatedProperty::lookupWrappe() returns a RefPtr<> we need to
use get() for the casting expressions.

(WebCore::SVGPathElement::pathSegList):
(WebCore::SVGPathElement::normalizedPathSegList):
(WebCore::SVGPathElement::animatedPathSegList):
(WebCore::SVGPathElement::animatedNormalizedPathSegList):

• svg/SVGPathElement.h:

Change the return value from raw pointer to RefPtr<>.

• svg/SVGPathSegWithContext.h:

(WebCore::SVGPathSegWithContext::animatedProperty):
Change the return type to be RefPtr<> to preserve the value from being deleted.

• svg/SVGPolyElement.cpp:

(WebCore::SVGPolyElement::parseAttribute):
Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to
use get() for the casting expressions.

(WebCore::SVGPolyElement::points):
(WebCore::SVGPolyElement::animatedPoints):

• svg/SVGPolyElement.h:

Change the return value from raw pointer to RefPtr<>.

• svg/SVGViewSpec.cpp:

(WebCore::SVGViewSpec::setTransformString):
Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to
use get() for the casting expressions.

(WebCore::SVGViewSpec::transform):

• svg/SVGViewSpec.h:

Change the return value from raw pointer to RefPtr<>.

• svg/properties/SVGAnimatedListPropertyTearOff.h:

(WebCore::SVGAnimatedListPropertyTearOff::baseVal):
(WebCore::SVGAnimatedListPropertyTearOff::animVal):
Change the return value from raw pointer to RefPtr<> and change the cached
value from RefPtr<> to raw pointer. If the property is null, it will be
created, its raw pointer will be cached and the only ref-counted RefPtr<>
will be returned. This will guarantee, the RefPtr<> will be deleted once
it is not used anymore.

(WebCore::SVGAnimatedListPropertyTearOff::propertyWillBeDeleted):
Clean the raw pointer caches m_baseVal and m_animVal upon deleting the
actual pointer. This function will be called from the destructor of
SVGListPropertyTearOff.

(WebCore::SVGAnimatedListPropertyTearOff::findItem):
(WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList):
We have to ensure the baseVal() is created before using it.

(WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers):
(WebCore::SVGAnimatedListPropertyTearOff::currentAnimatedValue):
(WebCore::SVGAnimatedListPropertyTearOff::animationStarted):
(WebCore::SVGAnimatedListPropertyTearOff::animationEnded):
(WebCore::SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded):
(WebCore::SVGAnimatedListPropertyTearOff::animValWillChange):
(WebCore::SVGAnimatedListPropertyTearOff::animValDidChange):
For animation, a separate RefPtr<> 'm_animatingAnimVal' will be assigned
to the animVal(). This will prevent deleting m_animVal while animation.

• svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:

(WebCore::SVGAnimatedPathSegListPropertyTearOff::baseVal):
(WebCore::SVGAnimatedPathSegListPropertyTearOff::animVal):
Same as what is done in SVGAnimatedListPropertyTearOff.

(WebCore::SVGAnimatedPathSegListPropertyTearOff::findItem):
(WebCore::SVGAnimatedPathSegListPropertyTearOff::removeItemFromList):
Same as what is done in SVGAnimatedListPropertyTearOff.

• svg/properties/SVGAnimatedProperty.h:

(WebCore::SVGAnimatedProperty::lookupOrCreateWrapper):
Change the return value from raw reference to Ref<> and change the
cached value from Ref<> to raw pointer. This reverts the change of
r181345 in this function.

(WebCore::SVGAnimatedProperty::lookupWrapper):
Change the return value from raw pointer to RefPtr<>.

• svg/properties/SVGAnimatedPropertyMacros.h:

Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper().

• svg/properties/SVGAnimatedTransformListPropertyTearOff.h:

(WebCore::SVGAnimatedTransformListPropertyTearOff::baseVal):
(WebCore::SVGAnimatedTransformListPropertyTearOff::animVal):
Same as what is done in SVGAnimatedListPropertyTearOff.

• svg/properties/SVGListPropertyTearOff.h:

(WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff):
Call the SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to clean
its raw pointers when the RefPtr<> deletes itself.

LayoutTests:

• TestExpectations: Remove flaky tests from test expectation.

• svg/animations/smil-leak-list-property-instances-expected.txt: Added.
• svg/animations/smil-leak-list-property-instances.svg: Added.

Ensure if SVGPolylineElement.points is requested from JS, the document will
not leak.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/svg/animations/smil-leak-list-property-instances-expected.txt (added)
• LayoutTests/svg/animations/smil-leak-list-property-instances.svg (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/svg/SVGMarkerElement.cpp (modified) (1 diff)
• Source/WebCore/svg/SVGPathElement.cpp (modified) (3 diffs)
• Source/WebCore/svg/SVGPathElement.h (modified) (1 diff)
• Source/WebCore/svg/SVGPathSegWithContext.h (modified) (1 diff)
• Source/WebCore/svg/SVGPolyElement.cpp (modified) (2 diffs)
• Source/WebCore/svg/SVGPolyElement.h (modified) (1 diff)
• Source/WebCore/svg/SVGViewSpec.cpp (modified) (2 diffs)
• Source/WebCore/svg/SVGViewSpec.h (modified) (1 diff)
• Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h (modified) (10 diffs)
• Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h (modified) (2 diffs)
• Source/WebCore/svg/properties/SVGAnimatedProperty.h (modified) (2 diffs)
• Source/WebCore/svg/properties/SVGAnimatedPropertyMacros.h (modified) (2 diffs)
• Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h (modified) (1 diff)
• Source/WebCore/svg/properties/SVGListPropertyTearOff.h (modified) (1 diff)
• Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-02-08  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        REGRESSION(r181345): SVG polyline and polygon leak page
+        https://bugs.webkit.org/show_bug.cgi?id=152759
+
+        Reviewed by Darin Adler.
+
+        * TestExpectations: Remove flaky tests from test expectation.
+        
+        * svg/animations/smil-leak-list-property-instances-expected.txt: Added.
+        * svg/animations/smil-leak-list-property-instances.svg: Added.
+        Ensure if SVGPolylineElement.points is requested from JS, the document will
+        not leak.
+
 2016-02-08  Brady Eidson  <beidson@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -638 +638 @@
 http/tests/contentextensions [ Skip ]
 
-# These tests were flaky on Mac only but they became flaky on all ports after r181345
-webkit.org/b/114280 svg/animations/smil-leak-dynamically-added-element-instances.svg [ Pass Failure ]
-webkit.org/b/114280 svg/animations/smil-leak-element-instances-noBaseValRef.svg [ Pass Failure ]
-webkit.org/b/114280 svg/animations/smil-leak-element-instances.svg [ Pass Failure ]
-webkit.org/b/114280 svg/animations/smil-leak-elements.svg [ Pass Failure ]
-
 webkit.org/b/149072 svg/animations/svgboolean-animation-1.html [ Pass Failure ]
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-08  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        REGRESSION(r181345): SVG polyline and polygon leak page
+        https://bugs.webkit.org/show_bug.cgi?id=152759
+
+        Reviewed by Darin Adler.
+
+        The leak happens because of cyclic reference between SVGListPropertyTearOff 
+        and SVGAnimatedListPropertyTearOff which is derived from SVGAnimatedProperty.
+        There is also cyclic reference between SVGAnimatedProperty and SVGElement
+        and this causes the whole document to be leaked. So if the JS requests, for
+        example, an instance of SVGPolylineElement.points, the whole document will be
+        leaked.
+
+        The fix depends on having the cyclic reference as is since the owning and the
+        owned classes have to live together if any of them is referenced. But the owning
+        class caches a raw 'ref-counted' pointer of the owned class. If it is requested
+        for an instance of the owned class it returned a RefPtr<> of it. Once the owned
+        class is not used, it can delete itself. The only thing needed here is to notify
+        the owner class of the deletion so it cleans its caches and be able to create a
+        new pointer if it is requested for an instance of the owned class later.
+
+        Revert the change of r181345 in SVGAnimatedProperty::lookupOrCreateWrapper()
+        to break the cyclic reference between SVGElement and SVGAnimatedProperty.
+        
+        Also apply the same approach in SVGAnimatedListPropertyTearOff::baseVal() and
+        animVal() to break cyclic reference between SVGListPropertyTearOff and
+        SVGAnimatedListPropertyTearOff.
+
+        Test: svg/animations/smil-leak-list-property-instances.svg
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (NativeToJSValue): The SVG non-string list tear-off properties became of
+        type RefPtr<>. So we need to use get() with the casting expressions.
+        
+        * svg/SVGMarkerElement.cpp:
+        (WebCore::SVGMarkerElement::orientType):
+        Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper().
+
+        * svg/SVGPathElement.cpp:
+        (WebCore::SVGPathElement::pathByteStream):
+        (WebCore::SVGPathElement::lookupOrCreateDWrapper):
+        Since SVGAnimatedProperty::lookupWrappe() returns a RefPtr<> we need to 
+        use get() for the casting expressions.
+        
+        (WebCore::SVGPathElement::pathSegList):
+        (WebCore::SVGPathElement::normalizedPathSegList):
+        (WebCore::SVGPathElement::animatedPathSegList):
+        (WebCore::SVGPathElement::animatedNormalizedPathSegList):
+        * svg/SVGPathElement.h:
+        Change the return value from raw pointer to RefPtr<>.
+
+        * svg/SVGPathSegWithContext.h:
+        (WebCore::SVGPathSegWithContext::animatedProperty):
+        Change the return type to be RefPtr<> to preserve the value from being deleted.
+        
+        * svg/SVGPolyElement.cpp:
+        (WebCore::SVGPolyElement::parseAttribute):
+        Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to 
+        use get() for the casting expressions.
+        
+        (WebCore::SVGPolyElement::points):
+        (WebCore::SVGPolyElement::animatedPoints):
+        * svg/SVGPolyElement.h:
+        Change the return value from raw pointer to RefPtr<>.
+        
+        * svg/SVGViewSpec.cpp:
+        (WebCore::SVGViewSpec::setTransformString):
+        Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to 
+        use get() for the casting expressions.
+
+        (WebCore::SVGViewSpec::transform):
+        * svg/SVGViewSpec.h:
+        Change the return value from raw pointer to RefPtr<>.
+        
+        * svg/properties/SVGAnimatedListPropertyTearOff.h:
+        (WebCore::SVGAnimatedListPropertyTearOff::baseVal):
+        (WebCore::SVGAnimatedListPropertyTearOff::animVal):
+        Change the return value from raw pointer to RefPtr<> and change the cached
+        value from RefPtr<> to raw pointer. If the property is null, it will be
+        created, its raw pointer will be cached and the only ref-counted RefPtr<>
+        will be returned. This will guarantee, the RefPtr<> will be deleted once
+        it is not used anymore. 
+        
+        (WebCore::SVGAnimatedListPropertyTearOff::propertyWillBeDeleted):
+        Clean the raw pointer caches m_baseVal and m_animVal upon deleting the
+        actual pointer. This function will be called from the destructor of
+        SVGListPropertyTearOff.
+        
+        (WebCore::SVGAnimatedListPropertyTearOff::findItem):
+        (WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList):
+        We have to ensure the baseVal() is created before using it.
+        
+        (WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers):
+        (WebCore::SVGAnimatedListPropertyTearOff::currentAnimatedValue):
+        (WebCore::SVGAnimatedListPropertyTearOff::animationStarted):
+        (WebCore::SVGAnimatedListPropertyTearOff::animationEnded):
+        (WebCore::SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded):
+        (WebCore::SVGAnimatedListPropertyTearOff::animValWillChange):
+        (WebCore::SVGAnimatedListPropertyTearOff::animValDidChange):
+        For animation, a separate RefPtr<> 'm_animatingAnimVal' will be assigned
+        to the animVal(). This will prevent deleting m_animVal while animation.
+        
+        * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:
+        (WebCore::SVGAnimatedPathSegListPropertyTearOff::baseVal):
+        (WebCore::SVGAnimatedPathSegListPropertyTearOff::animVal):
+        Same as what is done in SVGAnimatedListPropertyTearOff.
+        
+        (WebCore::SVGAnimatedPathSegListPropertyTearOff::findItem):
+        (WebCore::SVGAnimatedPathSegListPropertyTearOff::removeItemFromList):
+        Same as what is done in SVGAnimatedListPropertyTearOff.
+        
+        * svg/properties/SVGAnimatedProperty.h:
+        (WebCore::SVGAnimatedProperty::lookupOrCreateWrapper):
+        Change the return value from raw reference to Ref<> and change the
+        cached value from Ref<> to raw pointer. This reverts the change of
+        r181345 in this function.
+        
+        (WebCore::SVGAnimatedProperty::lookupWrapper):
+        Change the return value from raw pointer to RefPtr<>.
+        
+        * svg/properties/SVGAnimatedPropertyMacros.h:
+        Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper().
+        
+        * svg/properties/SVGAnimatedTransformListPropertyTearOff.h:
+        (WebCore::SVGAnimatedTransformListPropertyTearOff::baseVal):
+        (WebCore::SVGAnimatedTransformListPropertyTearOff::animVal):
+        Same as what is done in SVGAnimatedListPropertyTearOff.
+
+        * svg/properties/SVGListPropertyTearOff.h:
+        (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff):
+        Call the SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to clean
+        its raw pointers when the RefPtr<> deletes itself.
+
 2016-02-08  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -4253 +4253 @@
     }
 
-    if ($codeGenerator->IsSVGAnimatedType($interfaceName) or $interfaceName eq "SVGViewSpec") {
+    # $type has to be used here because SVGViewSpec.transform is of type SVGTransformList.
+    if ($codeGenerator->IsSVGTypeNeedingTearOff($type) and $type =~ /(?<!String)List$/) {
+        # Convert from abstract RefPtr<ListProperty> to real type, so the right toJS() method can be invoked.
+        $value = "static_cast<" . GetNativeType($type) . ">($value" . ".get())";
+    } elsif ($codeGenerator->IsSVGAnimatedType($interfaceName) or $interfaceName eq "SVGViewSpec") {
         # Convert from abstract SVGProperty to real type, so the right toJS() method can be invoked.
         $value = "static_cast<" . GetNativeType($type) . ">($value)";

trunk/Source/WebCore/svg/SVGMarkerElement.cpp

@@ -252 +252 @@
 SVGMarkerOrientType& SVGMarkerElement::orientType() const
 {
-    if (SVGAnimatedEnumeration* wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, SVGAnimatedEnumeration>(this, orientTypePropertyInfo())) {
+    if (auto wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, SVGAnimatedEnumeration>(this, orientTypePropertyInfo())) {
         if (wrapper->isAnimating()) {
             ASSERT(wrapper->currentAnimatedValue() < SVGMarkerOrientMax);

trunk/Source/WebCore/svg/SVGPathElement.cpp

@@ -295 +295 @@
 const SVGPathByteStream& SVGPathElement::pathByteStream() const
 {
-    SVGAnimatedProperty* property = SVGAnimatedProperty::lookupWrapper<SVGPathElement, SVGAnimatedPathSegListPropertyTearOff>(this, dPropertyInfo());
+    auto property = SVGAnimatedProperty::lookupWrapper<SVGPathElement, SVGAnimatedPathSegListPropertyTearOff>(this, dPropertyInfo());
     if (!property || !property->isAnimating())
         return m_pathByteStream;
     
-    SVGPathByteStream* animatedPathByteStream = static_cast<SVGAnimatedPathSegListPropertyTearOff*>(property)->animatedPathByteStream();
+    SVGPathByteStream* animatedPathByteStream = static_cast<SVGAnimatedPathSegListPropertyTearOff*>(property.get())->animatedPathByteStream();
     if (!animatedPathByteStream)
         return m_pathByteStream;
@@ -311 +311 @@
     SVGPathElement& ownerType = downcast<SVGPathElement>(*contextElement);
 
-    if (SVGAnimatedProperty* property = SVGAnimatedProperty::lookupWrapper<SVGPathElement, SVGAnimatedPathSegListPropertyTearOff>(&ownerType, dPropertyInfo()))
+    if (auto property = SVGAnimatedProperty::lookupWrapper<SVGPathElement, SVGAnimatedPathSegListPropertyTearOff>(&ownerType, dPropertyInfo()))
         return *property;
 
@@ -330 +330 @@
 }
 
-SVGPathSegListPropertyTearOff* SVGPathElement::pathSegList()
+RefPtr<SVGPathSegListPropertyTearOff> SVGPathElement::pathSegList()
 {
     m_pathSegList.shouldSynchronize = true;
-    return static_cast<SVGPathSegListPropertyTearOff*>(static_reference_cast<SVGAnimatedPathSegListPropertyTearOff>(lookupOrCreateDWrapper(this))->baseVal());
-}
-
-SVGPathSegListPropertyTearOff* SVGPathElement::normalizedPathSegList()
+    return static_cast<SVGPathSegListPropertyTearOff*>(static_reference_cast<SVGAnimatedPathSegListPropertyTearOff>(lookupOrCreateDWrapper(this))->baseVal().get());
+}
+
+RefPtr<SVGPathSegListPropertyTearOff> SVGPathElement::normalizedPathSegList()
 {
     // FIXME: https://bugs.webkit.org/show_bug.cgi?id=15412 - Implement normalized path segment lists!
-    return 0;
-}
-
-SVGPathSegListPropertyTearOff* SVGPathElement::animatedPathSegList()
+    return nullptr;
+}
+
+RefPtr<SVGPathSegListPropertyTearOff> SVGPathElement::animatedPathSegList()
 {
     m_pathSegList.shouldSynchronize = true;
     m_isAnimValObserved = true;
-    return static_cast<SVGPathSegListPropertyTearOff*>(static_reference_cast<SVGAnimatedPathSegListPropertyTearOff>(lookupOrCreateDWrapper(this))->animVal());
-}
-
-SVGPathSegListPropertyTearOff* SVGPathElement::animatedNormalizedPathSegList()
+    return static_cast<SVGPathSegListPropertyTearOff*>(static_reference_cast<SVGAnimatedPathSegListPropertyTearOff>(lookupOrCreateDWrapper(this))->animVal().get());
+}
+
+RefPtr<SVGPathSegListPropertyTearOff> SVGPathElement::animatedNormalizedPathSegList()
 {
     // FIXME: https://bugs.webkit.org/show_bug.cgi?id=15412 - Implement normalized path segment lists!
-    return 0;
+    return nullptr;
 }
 

trunk/Source/WebCore/svg/SVGPathElement.h

@@ -83 +83 @@
 
     // Used in the bindings only.
-    SVGPathSegListPropertyTearOff* pathSegList();
-    SVGPathSegListPropertyTearOff* animatedPathSegList();
-    SVGPathSegListPropertyTearOff* normalizedPathSegList();
-    SVGPathSegListPropertyTearOff* animatedNormalizedPathSegList();
+    RefPtr<SVGPathSegListPropertyTearOff> pathSegList();
+    RefPtr<SVGPathSegListPropertyTearOff> animatedPathSegList();
+    RefPtr<SVGPathSegListPropertyTearOff> normalizedPathSegList();
+    RefPtr<SVGPathSegListPropertyTearOff> animatedNormalizedPathSegList();
 
     const SVGPathByteStream& pathByteStream() const;

trunk/Source/WebCore/svg/SVGPathSegWithContext.h

@@ -33 +33 @@
     }
 
-    SVGAnimatedProperty* animatedProperty() const
+    RefPtr<SVGAnimatedProperty> animatedProperty() const
     {
         if (!m_element)

trunk/Source/WebCore/svg/SVGPolyElement.cpp

@@ -69 +69 @@
             document().accessSVGExtensions().reportError("Problem parsing points=\"" + value + "\"");
 
-        if (SVGAnimatedProperty* wrapper = SVGAnimatedProperty::lookupWrapper<SVGPolyElement, SVGAnimatedPointList>(this, pointsPropertyInfo()))
-            static_cast<SVGAnimatedPointList*>(wrapper)->detachListWrappers(newList.size());
+        if (auto wrapper = SVGAnimatedProperty::lookupWrapper<SVGPolyElement, SVGAnimatedPointList>(this, pointsPropertyInfo()))
+            static_pointer_cast<SVGAnimatedPointList>(wrapper)->detachListWrappers(newList.size());
 
         m_points.value = newList;
@@ -119 +119 @@
 }
 
-SVGListPropertyTearOff<SVGPointList>* SVGPolyElement::points()
+RefPtr<SVGListPropertyTearOff<SVGPointList>> SVGPolyElement::points()
 {
     m_points.shouldSynchronize = true;
-    return static_cast<SVGListPropertyTearOff<SVGPointList>*>(static_reference_cast<SVGAnimatedPointList>(lookupOrCreatePointsWrapper(this))->baseVal());
+    return static_cast<SVGListPropertyTearOff<SVGPointList>*>(static_reference_cast<SVGAnimatedPointList>(lookupOrCreatePointsWrapper(this))->baseVal().get());
 }
 
-SVGListPropertyTearOff<SVGPointList>* SVGPolyElement::animatedPoints()
+RefPtr<SVGListPropertyTearOff<SVGPointList>> SVGPolyElement::animatedPoints()
 {
     m_points.shouldSynchronize = true;
-    return static_cast<SVGListPropertyTearOff<SVGPointList>*>(static_reference_cast<SVGAnimatedPointList>(lookupOrCreatePointsWrapper(this))->animVal());
+    return static_cast<SVGListPropertyTearOff<SVGPointList>*>(static_reference_cast<SVGAnimatedPointList>(lookupOrCreatePointsWrapper(this))->animVal().get());
 }
 

trunk/Source/WebCore/svg/SVGPolyElement.h

@@ -32 +32 @@
 class SVGPolyElement : public SVGGraphicsElement, public SVGExternalResourcesRequired {
 public:
-    SVGListPropertyTearOff<SVGPointList>* points();
-    SVGListPropertyTearOff<SVGPointList>* animatedPoints();
+    RefPtr<SVGListPropertyTearOff<SVGPointList>> points();
+    RefPtr<SVGListPropertyTearOff<SVGPointList>> animatedPoints();
 
     SVGPointList& pointList() const { return m_points.value; }

trunk/Source/WebCore/svg/SVGViewSpec.cpp

@@ -115 +115 @@
     newList.parse(transform);
 
-    if (SVGAnimatedProperty* wrapper = SVGAnimatedProperty::lookupWrapper<SVGElement, SVGAnimatedTransformList>(m_contextElement, transformPropertyInfo()))
-        static_cast<SVGAnimatedTransformList*>(wrapper)->detachListWrappers(newList.size());
+    if (auto wrapper = SVGAnimatedProperty::lookupWrapper<SVGElement, SVGAnimatedTransformList>(m_contextElement, transformPropertyInfo()))
+        static_pointer_cast<SVGAnimatedTransformList>(wrapper)->detachListWrappers(newList.size());
 
     m_transform = newList;
@@ -146 +146 @@
 }
 
-SVGTransformListPropertyTearOff* SVGViewSpec::transform()
+RefPtr<SVGTransformListPropertyTearOff> SVGViewSpec::transform()
 {
     if (!m_contextElement)
         return nullptr;
     // Return the animVal here, as its readonly by default - which is exactly what we want here.
-    return static_cast<SVGTransformListPropertyTearOff*>(static_reference_cast<SVGAnimatedTransformList>(lookupOrCreateTransformWrapper(this))->animVal());
+    return static_pointer_cast<SVGTransformListPropertyTearOff>(static_reference_cast<SVGAnimatedTransformList>(lookupOrCreateTransformWrapper(this))->animVal());
 }
 

trunk/Source/WebCore/svg/SVGViewSpec.h

@@ -69 +69 @@
 
     // Custom non-animated 'transform' property.
-    SVGTransformListPropertyTearOff* transform();
+    RefPtr<SVGTransformListPropertyTearOff> transform();
     SVGTransformList transformBaseValue() const { return m_transform; }
 

trunk/Source/WebCore/svg/properties/SVGAnimatedListPropertyTearOff.h

@@ -40 +40 @@
     typedef PropertyType ContentType;
 
-    virtual ListProperty* baseVal()
-    {
-        if (!m_baseVal)
-            m_baseVal = ListPropertyTearOff::create(this, BaseValRole, m_values, m_wrappers);
-        return static_cast<ListProperty*>(m_baseVal.get());
-    }
-
-    virtual ListProperty* animVal()
-    {
-        if (!m_animVal)
-            m_animVal = ListPropertyTearOff::create(this, AnimValRole, m_values, m_wrappers);
-        return static_cast<ListProperty*>(m_animVal.get());
+    virtual RefPtr<ListProperty> baseVal()
+    {
+        if (m_baseVal)
+            return m_baseVal;
+
+        auto property = ListPropertyTearOff::create(this, BaseValRole, m_values, m_wrappers);
+        m_baseVal = property.ptr();
+        return WTFMove(property);
+    }
+
+    virtual RefPtr<ListProperty> animVal()
+    {
+        if (m_animVal)
+            return m_animVal;
+
+        auto property = ListPropertyTearOff::create(this, AnimValRole, m_values, m_wrappers);
+        m_animVal = property.ptr();
+        return WTFMove(property);
+    }
+
+    void propertyWillBeDeleted(const ListProperty& property)
+    {
+        if (&property == m_baseVal)
+            m_baseVal = nullptr;
+        else if (&property == m_animVal)
+            m_animVal = nullptr;
     }
 
     virtual bool isAnimatedListTearOff() const override { return true; }
 
-    int findItem(SVGProperty* property) const
+    int findItem(SVGProperty* property)
     {
         // This should ever be called for our baseVal, as animVal can't modify the list.
         // It's safe to cast to ListPropertyTearOff here as all classes inheriting from us supply their own removeItemFromList() method.
         typedef SVGPropertyTearOff<typename SVGPropertyTraits<PropertyType>::ListItemType> ListItemTearOff;
-        return static_cast<ListPropertyTearOff*>(m_baseVal.get())->findItem(static_cast<ListItemTearOff*>(property));
+        return static_pointer_cast<ListPropertyTearOff>(baseVal())->findItem(static_cast<ListItemTearOff*>(property));
     }
 
@@ -68 +82 @@
         // This should ever be called for our baseVal, as animVal can't modify the list.
         // It's safe to cast to ListPropertyTearOff here as all classes inheriting from us supply their own removeItemFromList() method.
-        static_cast<ListPropertyTearOff*>(m_baseVal.get())->removeItemFromList(itemIndex, shouldSynchronizeWrappers);
+        static_pointer_cast<ListPropertyTearOff>(baseVal())->removeItemFromList(itemIndex, shouldSynchronizeWrappers);
     }
 
@@ -79 +93 @@
     {
         ASSERT(m_isAnimating);
-        ASSERT(m_animVal);
-        return static_cast<ListProperty*>(m_animVal.get())->values();
+        ASSERT(m_animatingAnimVal);
+        return static_pointer_cast<ListProperty>(m_animatingAnimVal)->values();
     }
 
@@ -91 +105 @@
     {
         ASSERT(!m_isAnimating);
+        ASSERT(!m_animatingAnimVal);
         ASSERT(newAnimVal);
         ASSERT(m_values.size() == m_wrappers.size());
@@ -99 +114 @@
             m_animatedWrappers.fill(0, newAnimVal->size());
 
-        ListProperty* animVal = static_cast<ListProperty*>(this->animVal());
-        animVal->setValuesAndWrappers(newAnimVal, &m_animatedWrappers, shouldOwnValues);
-        ASSERT(animVal->values().size() == animVal->wrappers().size());
-        ASSERT(animVal->wrappers().size() == m_animatedWrappers.size());
+        m_animatingAnimVal = animVal();
+        m_animatingAnimVal->setValuesAndWrappers(newAnimVal, &m_animatedWrappers, shouldOwnValues);
+        ASSERT(m_animatingAnimVal->values().size() == m_animatingAnimVal->wrappers().size());
+        ASSERT(m_animatingAnimVal->wrappers().size() == m_animatedWrappers.size());
         m_isAnimating = true;
     }
@@ -109 +124 @@
     {
         ASSERT(m_isAnimating);
-        ASSERT(m_animVal);
-        ASSERT(m_values.size() == m_wrappers.size());
-
-        ListProperty* animVal = static_cast<ListProperty*>(m_animVal.get());
-        ASSERT(animVal->values().size() == animVal->wrappers().size());
-        ASSERT(animVal->wrappers().size() == m_animatedWrappers.size());
-
-        animVal->setValuesAndWrappers(&m_values, &m_wrappers, false);
-        ASSERT(animVal->values().size() == animVal->wrappers().size());
-        ASSERT(animVal->wrappers().size() == m_wrappers.size());
+        ASSERT(m_animatingAnimVal);
+        ASSERT(m_values.size() == m_wrappers.size());
+
+        ASSERT(m_animatingAnimVal->values().size() == m_animatingAnimVal->wrappers().size());
+        ASSERT(m_animatingAnimVal->wrappers().size() == m_animatedWrappers.size());
+
+        m_animatingAnimVal->setValuesAndWrappers(&m_values, &m_wrappers, false);
+        ASSERT(m_animatingAnimVal->values().size() == m_animatingAnimVal->wrappers().size());
+        ASSERT(m_animatingAnimVal->wrappers().size() == m_wrappers.size());
 
         m_animatedWrappers.clear();
+        m_animatingAnimVal = nullptr;
         m_isAnimating = false;
     }
@@ -126 +141 @@
     void synchronizeWrappersIfNeeded()
     {
+        ASSERT(m_isAnimating);
+        ASSERT(m_animatingAnimVal);
+
         // Eventually the wrapper list needs synchronization because any SVGAnimateLengthList::calculateAnimatedValue() call may
         // mutate the length of our values() list, and thus the wrapper() cache needs synchronization, to have the same size.
@@ -131 +149 @@
         // of them is created, so existing animVal variables in JS are kept-alive). If we'd detach them later the underlying
         // SVGLengthList was already mutated, and our list item wrapper tear offs would point nowhere. Assertions would fire.
-        ListProperty* animVal = static_cast<ListProperty*>(m_animVal.get());
-        animVal->detachListWrappers(animVal->values().size());
-
-        ASSERT(animVal->values().size() == animVal->wrappers().size());
-        ASSERT(animVal->wrappers().size() == m_animatedWrappers.size());
+        m_animatingAnimVal->detachListWrappers(m_animatingAnimVal->values().size());
+
+        ASSERT(m_animatingAnimVal->values().size() == m_animatingAnimVal->wrappers().size());
+        ASSERT(m_animatingAnimVal->wrappers().size() == m_animatedWrappers.size());
     }
 
     void animValWillChange()
     {
-        ASSERT(m_isAnimating);
-        ASSERT(m_animVal);
         ASSERT(m_values.size() == m_wrappers.size());
         synchronizeWrappersIfNeeded();
@@ -148 +163 @@
     void animValDidChange()
     {
-        ASSERT(m_isAnimating);
-        ASSERT(m_animVal);
         ASSERT(m_values.size() == m_wrappers.size());
         synchronizeWrappersIfNeeded();
@@ -174 +187 @@
     ListWrapperCache m_animatedWrappers;
 
-    RefPtr<SVGProperty> m_baseVal;
-    RefPtr<SVGProperty> m_animVal;
+    // Cache the raw pointer but return a RefPtr<>. This will break the cyclic reference
+    // between SVGListPropertyTearOff and SVGAnimatedListPropertyTearOff once the property
+    // pointer is not needed.
+    ListProperty* m_baseVal { nullptr };
+    ListProperty* m_animVal { nullptr };
+
+    RefPtr<ListProperty> m_animatingAnimVal;
 };
 

trunk/Source/WebCore/svg/properties/SVGAnimatedPathSegListPropertyTearOff.h

@@ -32 +32 @@
 class SVGAnimatedPathSegListPropertyTearOff : public SVGAnimatedListPropertyTearOff<SVGPathSegList> {
 public:
-    virtual SVGListProperty<SVGPathSegList>* baseVal() override
+    virtual RefPtr<ListProperty> baseVal() override
     {
-        if (!m_baseVal)
-            m_baseVal = SVGPathSegListPropertyTearOff::create(this, BaseValRole, PathSegUnalteredRole, m_values, m_wrappers);
-        return static_cast<SVGListProperty<SVGPathSegList>*>(m_baseVal.get());
+        if (m_baseVal)
+            return m_baseVal;
+
+        auto property = SVGPathSegListPropertyTearOff::create(this, BaseValRole, PathSegUnalteredRole, m_values, m_wrappers);
+        m_baseVal = property.ptr();
+        return WTFMove(property);
     }
 
-    virtual SVGListProperty<SVGPathSegList>* animVal() override
+    virtual RefPtr<ListProperty> animVal() override
     {
-        if (!m_animVal)
-            m_animVal = SVGPathSegListPropertyTearOff::create(this, AnimValRole, PathSegUnalteredRole, m_values, m_wrappers);
-        return static_cast<SVGListProperty<SVGPathSegList>*>(m_animVal.get());
+        if (m_animVal)
+            return m_animVal;
+
+        auto property = SVGPathSegListPropertyTearOff::create(this, AnimValRole, PathSegUnalteredRole, m_values, m_wrappers);
+        m_animVal = property.ptr();
+        return WTFMove(property);
     }
 
-    int findItem(const RefPtr<SVGPathSeg>& segment) const
+    int findItem(const RefPtr<SVGPathSeg>& segment)
     {
         // This should ever be called for our baseVal, as animVal can't modify the list.
-        ASSERT(m_baseVal);
-        return static_cast<SVGPathSegListPropertyTearOff*>(m_baseVal.get())->findItem(segment);
+        return static_cast<SVGPathSegListPropertyTearOff*>(baseVal().get())->findItem(segment);
     }
 
@@ -56 +61 @@
     {
         // This should ever be called for our baseVal, as animVal can't modify the list.
-        ASSERT(m_baseVal);
-        static_cast<SVGPathSegListPropertyTearOff*>(m_baseVal.get())->removeItemFromList(itemIndex, shouldSynchronizeWrappers);
+        static_cast<SVGPathSegListPropertyTearOff*>(baseVal().get())->removeItemFromList(itemIndex, shouldSynchronizeWrappers);
     }
 

trunk/Source/WebCore/svg/properties/SVGAnimatedProperty.h

@@ -49 +49 @@
 
     template<typename OwnerType, typename TearOffType, typename PropertyType>
-    static TearOffType& lookupOrCreateWrapper(OwnerType* element, const SVGPropertyInfo* info, PropertyType& property)
+    static Ref<TearOffType> lookupOrCreateWrapper(OwnerType* element, const SVGPropertyInfo* info, PropertyType& property)
     {
         ASSERT(info);
         SVGAnimatedPropertyDescription key(element, info->propertyIdentifier);
-        auto& slot = animatedPropertyCache()->add(key, nullptr).iterator->value;
-        if (!slot) {
-            Ref<SVGAnimatedProperty> wrapper = TearOffType::create(element, info->attributeName, info->animatedPropertyType, property);
-            if (info->animatedPropertyState == PropertyIsReadOnly)
-                wrapper->setIsReadOnly();
-            slot = &wrapper.leakRef();
-        }
-        return static_cast<TearOffType&>(*slot);
+
+        auto result = animatedPropertyCache()->add(key, nullptr);
+        if (!result.isNewEntry)
+            return static_cast<TearOffType&>(*result.iterator->value);
+
+        Ref<SVGAnimatedProperty> wrapper = TearOffType::create(element, info->attributeName, info->animatedPropertyType, property);
+        if (info->animatedPropertyState == PropertyIsReadOnly)
+            wrapper->setIsReadOnly();
+
+        // Cache the raw pointer but return a Ref<>. This will break the cyclic reference
+        // between SVGAnimatedProperty and SVGElement once the property pointer is not needed.
+        result.iterator->value = wrapper.ptr();
+        return static_reference_cast<TearOffType>(wrapper);
     }
 
     template<typename OwnerType, typename TearOffType>
-    static TearOffType* lookupWrapper(OwnerType* element, const SVGPropertyInfo* info)
+    static RefPtr<TearOffType> lookupWrapper(OwnerType* element, const SVGPropertyInfo* info)
     {
         ASSERT(info);
@@ -72 +77 @@
 
     template<typename OwnerType, typename TearOffType>
-    static TearOffType* lookupWrapper(const OwnerType* element, const SVGPropertyInfo* info)
+    static RefPtr<TearOffType> lookupWrapper(const OwnerType* element, const SVGPropertyInfo* info)
     {
         return lookupWrapper<OwnerType, TearOffType>(const_cast<OwnerType*>(element), info);

trunk/Source/WebCore/svg/properties/SVGAnimatedPropertyMacros.h

@@ -124 +124 @@
     PropertyType& LowerProperty() const \
     { \
-        if (TearOffType* wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, TearOffType>(this, LowerProperty##PropertyInfo())) { \
+        if (auto wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, TearOffType>(this, LowerProperty##PropertyInfo())) { \
             if (wrapper->isAnimating()) \
                 return wrapper->currentAnimatedValue(); \
@@ -185 +185 @@
 void detachAnimated##UpperProperty##ListWrappers(unsigned newListSize) \
 { \
-    if (TearOffType* wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, TearOffType>(this, LowerProperty##PropertyInfo())) \
+    if (auto wrapper = SVGAnimatedProperty::lookupWrapper<UseOwnerType, TearOffType>(this, LowerProperty##PropertyInfo())) \
         wrapper->detachListWrappers(newListSize); \
 }

trunk/Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h

@@ -29 +29 @@
 class SVGAnimatedTransformListPropertyTearOff : public SVGAnimatedListPropertyTearOff<SVGTransformList> {
 public:
-    virtual SVGListPropertyTearOff<SVGTransformList>* baseVal() override
+    virtual RefPtr<ListProperty> baseVal() override
     {
-        if (!m_baseVal)
-            m_baseVal = SVGTransformListPropertyTearOff::create(this, BaseValRole, m_values, m_wrappers);
-        return static_cast<SVGListPropertyTearOff<SVGTransformList>*>(m_baseVal.get());
+        if (m_baseVal)
+            return m_baseVal;
+
+        auto property = SVGTransformListPropertyTearOff::create(this, BaseValRole, m_values, m_wrappers);
+        m_baseVal = property.ptr();
+        return WTFMove(property);
     }
 
-    virtual SVGListPropertyTearOff<SVGTransformList>* animVal() override
+    virtual RefPtr<ListProperty> animVal() override
     {
-        if (!m_animVal)
-            m_animVal = SVGTransformListPropertyTearOff::create(this, AnimValRole, m_values, m_wrappers);
-        return static_cast<SVGListPropertyTearOff<SVGTransformList>*>(m_animVal.get());
+        if (m_animVal)
+            return m_animVal;
+
+        auto property = SVGTransformListPropertyTearOff::create(this, AnimValRole, m_values, m_wrappers);
+        m_animVal = property.ptr();
+        return WTFMove(property);
     }
 

trunk/Source/WebCore/svg/properties/SVGListPropertyTearOff.h

@@ -121 +121 @@
     }
 
+    virtual ~SVGListPropertyTearOff()
+    {
+        if (m_animatedProperty)
+            m_animatedProperty->propertyWillBeDeleted(*this);
+    }
+
     virtual bool isReadOnly() const override
     {

trunk/Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp

@@ -91 +91 @@
 {
     SVGPathSegWithContext* newItemWithContext = static_cast<SVGPathSegWithContext*>(newItem.get());
-    SVGAnimatedProperty* animatedPropertyOfItem = newItemWithContext->animatedProperty();
+    RefPtr<SVGAnimatedProperty> animatedPropertyOfItem = newItemWithContext->animatedProperty();
 
     // Alter the role, after calling animatedProperty(), as that may influence the returned animated property.
@@ -107 +107 @@
     // 'newItem' is already living in another list. If it's not our list, synchronize the other lists wrappers after the removal.
     bool livesInOtherList = animatedPropertyOfItem != m_animatedProperty;
-    SVGAnimatedPathSegListPropertyTearOff* propertyTearOff = static_cast<SVGAnimatedPathSegListPropertyTearOff*>(animatedPropertyOfItem);
+    RefPtr<SVGAnimatedPathSegListPropertyTearOff> propertyTearOff = static_pointer_cast<SVGAnimatedPathSegListPropertyTearOff>(animatedPropertyOfItem);
     int indexToRemove = propertyTearOff->findItem(newItem.get());
     ASSERT(indexToRemove != -1);