In <http://trac.webkit.org/changeset/95047>, we tried to fix this issue. But instead of registering the clients of the destroyed resource, we registered all the clients in the cache as having pending resources. In SVGResourcesCache::resourceDestroyed(), we call resourcesCacheFromRenderer() which returns a cache that maps <RenderElement, SVGResources>. We loop through all the elements in the cache and we call SVGResources::resourceDestroyed() which will remove the reference to the destroyed resource if it's one of the resources of SVGResources Then we call SVGDocumentExtensions::addPendingResource() with the ID of the destroyed resource and the Element of the RenderElement. This is wrong if the SVGResources does not have a reference to the destroyed resource. It is waste of time to register the Element of the RenderElement to have a pending resources in this caae.
Created attachment 324358 [details] Patch
<rdar://problem/35064781>
Comment on attachment 324358 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=324358&action=review > Source/WebCore/rendering/svg/SVGResources.cpp:391 > m_clipperFilterMaskerData->masker = 0; These 0 should all be nullptr, right? > Source/WebCore/rendering/svg/SVGResources.h:70 > + bool resourceDestroyed(RenderSVGResourceContainer&); Please add a comment saying what the return value means, or use an enum.
Created attachment 324424 [details] Patch
Comment on attachment 324424 [details] Patch Clearing flags on attachment: 324424 Committed r223789: <https://trac.webkit.org/changeset/223789>
All reviewed patches have been landed. Closing bug.