Go to http://www.kde-look.org/content/show.php?content=19524 and download gearflowers.svg Open gearflowers.svg (I've dragging and dropping it into WebKit.) Right-click > View Source. Click the back button. WebKit crashes.
This can also be reproduced using images from the SVG test suite at http://www.w3.org/Graphics/SVG/Test/ so it's probably not something specific about that image.
Confirmed with a local debug build of WebKit r21690 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135). Note that you must leave the view source window open when you hit the back button, or you won't see the crash. Console output: Bus error Stack trace: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000334 Thread 0 Crashed: 0 com.apple.WebCore 0x01493954 WebCore::FrameLoader::frameHasLoaded() const + 28 (FrameLoader.cpp:2250) 1 com.apple.WebKit 0x0033c654 -[WebDataSource request] + 60 (WebDataSource.mm:407) 2 com.apple.Safari 0x00084728 0x1000 + 538408 3 com.apple.Foundation 0x92be2ae4 _nsnote_callback + 180 4 com.apple.CoreFoundation 0x90806078 __CFXNotificationPost + 368 5 com.apple.CoreFoundation 0x907fe114 _CFXNotificationPostNotification + 684 6 com.apple.Foundation 0x92bcceec -[NSNotificationCenter postNotificationName:object:userInfo:] + 92 7 com.apple.Safari 0x00022758 0x1000 + 137048 8 com.apple.WebKit 0x003c6f78 WebFrameLoaderClient::dispatchDidFinishLoad() + 260 9 com.apple.WebCore 0x0149fca8 WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 1564 (FrameLoader.cpp:2783) 10 com.apple.WebCore 0x014a0118 WebCore::FrameLoader::recursiveCheckLoadComplete() + 364 (FrameLoader.cpp:2875) 11 com.apple.WebCore 0x014a00f4 WebCore::FrameLoader::recursiveCheckLoadComplete() + 328 (FrameLoader.cpp:2872) 12 com.apple.WebCore 0x014a0208 WebCore::FrameLoader::checkLoadComplete() + 208 (FrameLoader.cpp:2887) 13 com.apple.WebCore 0x014a035c WebCore::FrameLoader::finishedLoading() + 320 (FrameLoader.cpp:2601) 14 com.apple.WebCore 0x014ac43c WebCore::MainResourceLoader::didFinishLoading() + 272 (MainResourceLoader.cpp:304) 15 com.apple.WebCore 0x014ae598 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 60 16 com.apple.WebCore 0x014834b0 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 144 (ResourceHandleMac.mm:370) 17 com.apple.Foundation 0x92c1589c -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 18 com.apple.Foundation 0x92c13b08 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 19 com.apple.Foundation 0x92c13860 _sendCallbacks + 156 20 com.apple.CoreFoundation 0x907df4fc __CFRunLoopDoSources0 + 384 21 com.apple.CoreFoundation 0x907dea2c __CFRunLoopRun + 452 22 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 23 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 24 com.apple.HIToolbox 0x9329b1b4 ReceiveNextEventCommon + 380 25 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 26 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 27 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 28 com.apple.Safari 0x00006740 0x1000 + 22336 29 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 30 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 31 com.apple.Safari 0x0005c77c 0x1000 + 374652 32 com.apple.Safari 0x0005c624 0x1000 + 374308
Fixed in r21710. http://trac.webkit.org/projects/webkit/changeset/21710 rdar://problem/5225343