One set of failing tests: svg/W3C-SVG-1.1/animate-elem-03-t.svg svg/W3C-SVG-1.1/animate-elem-05-t.svg svg/W3C-SVG-1.1/animate-elem-09-t.svg svg/W3C-SVG-1.1/animate-elem-11-t.svg svg/W3C-SVG-1.1/animate-elem-13-t.svg svg/W3C-SVG-1.1/animate-elem-15-t.svg svg/W3C-SVG-1.1/animate-elem-17-t.svg svg/W3C-SVG-1.1/animate-elem-19-t.svg svg/W3C-SVG-1.1/animate-elem-23-t.svg svg/W3C-SVG-1.1/animate-elem-29-b.svg svg/W3C-SVG-1.1/animate-elem-31-t.svg svg/W3C-SVG-1.1/animate-elem-33-t.svg svg/W3C-SVG-1.1/animate-elem-36-t.svg svg/W3C-SVG-1.1/animate-elem-40-t.svg svg/W3C-SVG-1.1/animate-elem-44-t.svg svg/W3C-SVG-1.1/animate-elem-52-t.svg svg/W3C-SVG-1.1/animate-elem-61-t.svg svg/W3C-SVG-1.1/animate-elem-65-t.svg svg/W3C-SVG-1.1/animate-elem-67-t.svg svg/W3C-SVG-1.1/animate-elem-69-t.svg svg/W3C-SVG-1.1/animate-elem-77-t.svg svg/W3C-SVG-1.1/animate-elem-80-t.svg svg/W3C-SVG-1.1/animate-elem-82-t.svg svg/W3C-SVG-1.1/color-prof-01-f.svg svg/W3C-SVG-1.1/pservers-pattern-01-b.svg These all crash with the following backtrace. It seems that `this` has been deleted. WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x06f99b28, WebCore::Node * & tail=0x01fa16a8, WebCore::ContainerNode * container=0x06f66650) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 109 WebKit_debug.dll!WebCore::Document::removedLastRef() Line 381 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::Document>::operator=(const WTF::PassRefPtr<WebCore::Document> & o={...}) Line 121 WebKit_debug.dll!WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document> newDoc={...}) Line 257 WebKit_debug.dll!WebCore::FrameLoader::clear(bool clearWindowProperties=true, bool clearScriptObjects=true) Line 840 WebKit_debug.dll!WebCore::FrameLoader::begin(const WebCore::KURL & url={...}, bool dispatch=false, WebCore::SecurityOrigin * origin=0x00000000) Line 913 WebKit_debug.dll!WebCore::FrameLoader::receivedFirstData() Line 864 WebKit_debug.dll!WebCore::FrameLoader::setEncoding(const WebCore::String & name={...}, bool userChosen=false) Line 1833 WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char * data=0x07037e50, int length=8526, const WebCore::String & textEncoding={...}) Line 411 WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x06eeb188, const char * data=0x07037e50, int length=8526) Line 383 WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader * loader=0x06eeb188, const char * data=0x07037e50, int length=8526) Line 3332 WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x07037e50, int length=8526) Line 343 WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x07037e50, int length=8526) Line 355 WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x07037e50, int length=8526) Line 2287 WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x07037e50, int length=8526, bool allAtOnce=false) Line 139 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x07037e50, int length=8526, __int64 lengthReceived=8526, bool allAtOnce=false) Line 244 WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x07037e50, int length=8526, __int64 lengthReceived=8526, bool allAtOnce=false) Line 297 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x06faaa78, const char * data=0x07037e50, int length=8526, int lengthReceived=8526) Line 375 WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x01fd9a98, const __CFData * data=0x07037e38, long originalLength=8526, const void * clientInfo=0x06faaa78) Line 107

This test: svg/W3C-SVG-1.1/animate-elem-63-t.svg crashes with a similar but different backtrace. It also seems that `this` has been deleted. WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x020c7398, WebCore::Node * & tail=0x020c8078, WebCore::ContainerNode * container=0x020c7448) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 94 WebKit_debug.dll!WebCore::ContainerNode::~ContainerNode() Line 118 WebKit_debug.dll!WebCore::Element::~Element() Line 119 WebKit_debug.dll!WebCore::StyledElement::~StyledElement() Line 111 WebKit_debug.dll!WebCore::SVGElement::~SVGElement() Line 58 WebKit_debug.dll!WebCore::SVGStyledElement::~SVGStyledElement() Line 55 WebKit_debug.dll!WebCore::SVGStyledLocatableElement::~SVGStyledLocatableElement() Line 43 WebKit_debug.dll!WebCore::SVGStyledTransformableElement::~SVGStyledTransformableElement() Line 47 WebKit_debug.dll!WebCore::SVGGElement::~SVGGElement() Line 42 WebKit_debug.dll!WebCore::SVGGElement::`vbase destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::SVGGElement::`scalar deleting destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::removedLastRef() Line 99 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::SVGElement>::operator=(WebCore::SVGElement * optr=0x00000000) Line 112 WebKit_debug.dll!WebCore::SVGSMILElement::removedFromDocument() Line 128 WebKit_debug.dll!WebCore::ContainerNode::removedFromDocument() Line 672 WebKit_debug.dll!WebCore::Element::removedFromDocument() Line 714 WebKit_debug.dll!WebCore::ContainerNode::addChildNodesToDeletionQueue(WebCore::Node * & head=0x020cf3c0, WebCore::Node * & tail=0x020c7298, WebCore::ContainerNode * container=0x020b8600) Line 82 WebKit_debug.dll!WebCore::ContainerNode::removeAllChildren() Line 109 WebKit_debug.dll!WebCore::Document::removedLastRef() Line 381 WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 WebKit_debug.dll!WTF::RefPtr<WebCore::Document>::operator=(const WTF::PassRefPtr<WebCore::Document> & o={...}) Line 121 WebKit_debug.dll!WebCore::Frame::setDocument(WTF::PassRefPtr<WebCore::Document> newDoc={...}) Line 257 WebKit_debug.dll!WebCore::FrameLoader::clear(bool clearWindowProperties=true, bool clearScriptObjects=true) Line 840 WebKit_debug.dll!WebCore::FrameLoader::begin(const WebCore::KURL & url={...}, bool dispatch=false, WebCore::SecurityOrigin * origin=0x00000000) Line 913 WebKit_debug.dll!WebCore::FrameLoader::receivedFirstData() Line 864 WebKit_debug.dll!WebCore::FrameLoader::setEncoding(const WebCore::String & name={...}, bool userChosen=false) Line 1833 WebKit_debug.dll!WebFrameLoaderClient::receivedData(const char * data=0x02121350, int length=8919, const WebCore::String & textEncoding={...}) Line 411 WebKit_debug.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader=0x01fccca8, const char * data=0x02121350, int length=8919) Line 383 WebKit_debug.dll!WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader * loader=0x01fccca8, const char * data=0x02121350, int length=8919) Line 3332 WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x02121350, int length=8919) Line 343 WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x02121350, int length=8919) Line 355 WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x02121350, int length=8919) Line 2287 WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x02121350, int length=8919, bool allAtOnce=false) Line 139 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x02121350, int length=8919, __int64 lengthReceived=8919, bool allAtOnce=false) Line 244 WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x02121350, int length=8919, __int64 lengthReceived=8919, bool allAtOnce=false) Line 297 WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x01fb2440, const char * data=0x02121350, int length=8919, int lengthReceived=8919) Line 375 WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x01fbd7e8, const __CFData * data=0x02121330, long originalLength=8919, const void * clientInfo=0x01fb2440) Line 107

It seems every other test is failing. In comment 1, I said that tests 1, 3, 5, 7, 9, 11, etc. were failing. I disabled those and now tests 4, 8, 12, 16, etc., are failing. So it seems to be every other animation test that fails.

This seems to only affect debug builds. It's possible it would happen on Mac as well if run under GuardMalloc.

Antti got the crash to reproduce under GuardMalloc on Mac.

Sending WebCore/ChangeLog Sending WebCore/svg/animation/SVGSMILElement.cpp Sending WebCore/svg/animation/SVGSMILElement.h Transmitting file data ... Committed revision 32039.

I just got this crash again while running svg/W3C-SVG-1.1/animate-elem-63-t.svg (though presumably it's the previous test that triggered the problem).

I should note that I was running r32206.

Created attachment 20672 [details] patch

Comment on attachment 20672 [details] patch Need new lines before unregister and handleEvent Otherwise this looks sane. r=me

Sending WebCore/ChangeLog Sending WebCore/svg/animation/SVGSMILElement.cpp Sending WebCore/svg/animation/SVGSMILElement.h Transmitting file data ... Committed revision 32230.