Created attachment 57349 [details] The stack trace 1) Load an svg into a web frame 2) Evaluate a JavaScript that accesses 'document.rootElement.preserveAspectRatio.baseVal.align' When repeating the above two steps consecutively, after ~30-50 repetitions, the application will crash in 'JSValue jsSVGPreserveAspectRatioAlign()'. See attached stacktrace.txt. This happens with the Webkit version that is used in qt/4.7 Git SHA: 00b2882349d42736f1e3f753838af27a3774eb64 It does not happen in Qt 4.6.2. (The issue may not be Qt layer specific at all. I selected component Webkit Qt, because my attached test app is done in Qt)
Created attachment 57351 [details] Minimal Qt based app to reproduce the issue.
Created attachment 57352 [details] .pro file for the test app
The stacktrace suggests that this happens at least on Windows. I wonder if it also happens on other platforms.
Cannot reproduce on Linux with ToT.
Changed component to SVG, so it shows up in my all-svg-bugs search.
The SVG DOM js bindings were rewritten. Can you rety with trunk, if you still see a crash?
Goo news. I tested it with a trunk build of r72487, and it did not crash. However, something seems to leak memory. I increased the loop in the test program to 50000. No crash still, but the memory usage steadily grew to 400 MB. The branch qtwebkit-2.1 from the qtwebkit repo still crashes (after 250 testruns in the test program). But good to know that the fix will go into that repo.