Created attachment 370250 [details] Code for reproduction and system crash report In the attachment you will find a main.html and the crash report. If you open main.html and slowly drag the column separation bar to the right border WebKit will crash. I think the following 3 conditions are needed to cause the crash: - (MouseMove) Hit test against a - SVG Rect of zero width or zero height - SVG Rect with rounded corners (rx > 0 or ry > 0)
<rdar://problem/50967723>
Crash in: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109436358 WebCore::Path::contains(WebCore::FloatPoint const&, WebCore::WindRule) const + 24 1 com.apple.WebCore 0x000000010a745f44 WebCore::RenderSVGShape::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 516 2 com.apple.WebCore 0x000000010a72f828 WebCore::RenderSVGContainer::nodeAtFloatPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::FloatPoint const&, WebCore::HitTestAction) + 328 Said, didn't you fix this?
Yes I believe this bug was fixed by <https://trac.webkit.org/changeset/243845>. In the scenario of this bug RenderSVGShape::nodeAtFloatPoint() calls RenderSVGShape::fillContains() which calls RenderSVGRect::shapeDependentFillContains(). This last function checks the value of m_usePathFallback. If it is true, it calls Path::contains() via RenderSVGShape::shapeDependentFillContains(). Before r243845, m_usePathFallback could be set to true while m_path is null. After r243845, if m_usePathFallback is true, m_path has to be a valid pointer. The crash log shows that the webkit build is 13607 (13607.2.6.1.2). I think is corresponds to safari-607.2.6.2-branch or very close to it. I checked this branch and it does not have r243845. So I assume this is a duplicate of https://bugs.webkit.org/show_bug.cgi?id=196518. *** This bug has been marked as a duplicate of bug 196518 ***