(In reply to comment #0) > Appears to happen on or just before svg/custom/js-update-gradient.svg. It does > not reproduce 100% of the time. I've not managed to reproduce it when trying > to retrieve a backtrace. Log into the buildbot server and pick up the stack trace from ~/Library/Logs/CrashReporter/DumpRenderTree.crash.log for the time it happened.

I don't have easy access to the build slave in question (that I know of), or I'd do just that :-)

[14:14] bdash: WildFox: so why does it only sometimes happen? [14:14] WildFox: bdash: well, ie. if you access mygradient.x1 from JS following happens [14:15] WildFox: the "x1" is a SVGAnimatedLength object [14:15] WildFox: we store the "context" ("mygradient") with the "x1" pointer in a hashmap [14:15] WildFox: so if you call mygradient.x1.baseVal.value it will update the right context [14:15] WildFox: (SVG DOM oddness) [14:15] WildFox: the problem is that cache is never cleared [14:15] WildFox: for single-docs, no problem [14:16] WildFox: if you open a new document, which also access mygradient.x1 you may have bad luck that the _same_ pointer is used [14:16] WildFox: same x1 pointer [14:16] bdash: WildFox: ah, right [14:16] WildFox: it's really "bad luck" if that happens [14:16] bdash: but it's what is happening ;) [14:16] WildFox: bdash: we just need to find "the right place" to clear the caches We need to find a place to clear the caches ASAP! Anyone got an idea?

Shouldn't each document have its own separate cache?

Created attachment 12634 [details] Initial patch Okay, it turned out there is no need for any place to "clear the cache". It would even be wrong to do that - as discussed with Maciej. I just forgot to remove the context objects from the SVGDocumentExtension cache once their corresponding JS objects get destructed. Ran layout tests 10 times now - couldn't reproduce anymore - hopefully it's fixed.

Comment on attachment 12634 [details] Initial patch r=me

Landed in r19058.