Created attachment 33514 [details] Causes a crash I have produced the attached file, which reproduces the crash for me here. The issue appears to be triggered when a <use> element is added via DOM that references an ID that doesn't exist.
Unable to reproduce @46406
Created attachment 40189 [details] patch that fixes crash caused by using a symbol that doesn't exist When a symbol that was referenced by a <use> does not exist, the SVGUseElement doesn't bother to build the instance tree and shadow tree in SVGUseElement::buildPendingResource(). Thus in : static bool shadowTreeContainsChangedNodes(SVGElementInstance* target) we should first check if target exists, if target is NULL, we just return false.
Comment on attachment 40189 [details] patch that fixes crash caused by using a symbol that doesn't exist Looks good. r=me.
Comment on attachment 40189 [details] patch that fixes crash caused by using a symbol that doesn't exist Clearing flags on attachment: 40189 Committed r48810: <http://trac.webkit.org/changeset/48810>
All reviewed patches have been landed. Closing bug.