Webkit crashes when I double click the text in the following SVG. <?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" onload="init()"> <script><![CDATA[ var flag=1; var c; function init() { c= document.getElementById("use") setInterval("loop()",250); } function loop() { c.setAttributeNS("http://www.w3.org/1999/xlink","href","#rec"+flag) flag=1-flag; } ]]> </script> <symbol shape-rendering="optimizeSpeed" id="rec0" viewBox="0 0 64 64"> <rect width="59" height="59" x="5" y="5" fill="red" /> <text x="17" y="56" font-size="60" pointer-events="none" > A </text> </symbol> <symbol shape-rendering="optimizeSpeed" id="rec1" viewBox="0 0 64 64"> <rect width="59" height="59" x="5" y="5" fill="magenta" /> <text x="17" y="56" font-size="60" pointer-events="none" > B </text> </symbol> <use id="use" xlink:href="#rec0"/> </svg>
Created attachment 14591 [details] Test case from Comment #0
Confirmed with a local debug build of WebKit r21517 using Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135). I'm not sure if this test uses disabled SVG features not present in ToT, so I'm erring on the side of caution and making this a P1 since it's a reproducible crasher. Note that you may have to double-click more than once to trigger the crash. Console output: ASSERTION FAILED: nodeA (/path/to/WebKit/WebCore/editing/htmlediting.cpp:86 int WebCore::comparePositions(const WebCore::Position&, const WebCore::Position&)) Bus error Stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.WebCore 0x012c8bd4 WebCore::Node::shadowAncestorNode() + 28 (Node.cpp:1094) 1 com.apple.WebCore 0x01249a70 WebCore::comparePositions(WebCore::Position const&, WebCore::Position const&) + 228 (htmlediting.cpp:92) 2 com.apple.WebCore 0x0126a73c WebCore::SelectionController::contains(WebCore::IntPoint const&) + 604 (SelectionController.cpp:1029) 3 com.apple.WebCore 0x0148db9c WebCore::HitTestResult::isSelected() const + 168 (HitTestResult.cpp:131) 4 com.apple.WebKit 0x003bc1d0 -[WebElementDictionary _isSelected] + 76 (WebElementDictionary.mm:213) 5 com.apple.WebKit 0x003bbc24 -[WebElementDictionary objectForKey:] + 300 (WebElementDictionary.mm:147) 6 com.apple.WebKit 0x003518e4 -[WebHTMLView _isSelectionEvent:] + 256 (WebHTMLView.mm:2730) 7 com.apple.WebKit 0x00351ca4 -[WebHTMLView shouldDelayWindowOrderingForEvent:] + 232 (WebHTMLView.mm:2761) 8 com.apple.AppKit 0x937fcd08 -[NSWindow sendEvent:] + 1664 9 com.apple.Safari 0x00021734 0x1000 + 132916 10 com.apple.AppKit 0x937a68d4 -[NSApplication sendEvent:] + 4172 11 com.apple.Safari 0x00021238 0x1000 + 131640 12 com.apple.AppKit 0x9379dd10 -[NSApplication run] + 508 13 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 14 com.apple.Safari 0x0005c77c 0x1000 + 374652 15 com.apple.Safari 0x0005c624 0x1000 + 374308
HTML Editing makes assumptions which are not valid for SVG. Check in detail.
Nothing can make this crash on my system, dave can you still repro?
I can't reproduce this with a local debug build of WebKit r24285 with Safari 3.0 (522.12) on Mac OS X 10.4.10 (8R218). Closing as RESOLVED/FIXED.