The svg/custom/use-instanceRoot-event-bubbling.xhtml test is crashing on the bots, and also for me.
It asserts at: 0 com.apple.WebCore 0x00000001011a2561 WebCore::FrameView::layout(bool) + 3101 (FrameView.cpp:808) 1 com.apple.WebCore 0x00000001011a29f7 WebCore::FrameView::forceLayout(bool) + 29 (FrameView.cpp:2027) 2 com.apple.WebKit 0x00000001008e4d7a -[WebHTMLView layoutToMinimumPageWidth:maximumPageWidth:adjustingViewSize:] + 231 (WebHTMLView.mm:3129) 3 com.apple.WebKit 0x00000001008d70e8 -[WebHTMLView layout] + 43 (WebHTMLView.mm:3143) 4 DumpRenderTree 0x0000000100016450 -[EventSendingController mouseDown:withModifiers:] + 96 (EventSendingController.mm:318) 5 com.apple.CoreFoundation 0x00007fff8016fd2c __invoking___ + 140 6 com.apple.CoreFoundation 0x00007fff8016fbfd -[NSInvocation invoke] + 141 7 com.apple.WebCore 0x0000000101685526 JSC::Bindings::ObjcInstance::invokeObjcMethod(JSC::ExecState*, JSC::Bindings::ObjcMethod*) + 1320 (objc_instance.mm:299) 8 com.apple.WebCore 0x000000010168581e JSC::Bindings::ObjcInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*) + 288 (objc_instance.mm:208) 9 com.apple.WebCore 0x000000010182a0af JSC::callRuntimeMethod(JSC::ExecState*) + 404 (runtime_method.cpp:117) 10 com.apple.JavaScriptCore 0x00000001001bf01b cti_op_call_NotJSFunction + 450 (JITStubs.cpp:2066) 11 com.apple.JavaScriptCore 0x00000001001b7961 jscGeneratedNativeCode + 0 (JITStubs.cpp:998) 12 com.apple.JavaScriptCore 0x0000000100197a9a JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*, JSC::JSValue*) + 76 (JITCode.h:77) 13 com.apple.JavaScriptCore 0x0000000100194523 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) + 977 (Interpreter.cpp:703) 14 com.apple.JavaScriptCore 0x0000000100166aa5 JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 484 (Completion.cpp:63) 15 com.apple.WebCore 0x0000000101476832 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) + 58 (JSMainThreadExecState.h:54) 16 com.apple.WebCore 0x0000000101839cd6 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*, WebCore::ShouldAllowXSS) + 514 (ScriptController.cpp:151) 17 com.apple.WebCore 0x0000000101839ee0 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 58 (ScriptController.cpp:178) 18 com.apple.WebCore 0x000000010183f7da WebCore::ScriptController::executeScript(WebCore::ScriptSourceCode const&, WebCore::ShouldAllowXSS) + 142 (ScriptControllerBase.cpp:62) 19 com.apple.WebCore 0x0000000101a18b3a WebCore::XMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 522 (XMLDocumentParser.cpp:344) 20 com.apple.WebCore 0x0000000100e98dc0 WebCore::CachedScript::checkNotify() + 86 (CachedScript.cpp:111) 21 com.apple.WebCore 0x0000000100e98e90 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 142 (CachedScript.cpp:103) 22 com.apple.WebCore 0x000000010161f119 WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader*) + 449 (loader.cpp:406) 23 com.apple.WebCore 0x00000001018c8ab7 WebCore::SubresourceLoader::didFinishLoading() + 159 (SubresourceLoader.cpp:196) 24 com.apple.WebCore 0x000000010181bbec WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 38 (ResourceLoader.cpp:444) 25 com.apple.WebCore 0x00000001018171e9 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 270 (ResourceHandleMac.mm:860) 26 com.apple.Foundation 0x00007fff8334ab6c _NSURLConnectionDidFinishLoading + 113 27 com.apple.CFNetwork 0x00007fff8571806e URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 174 28 com.apple.CFNetwork 0x00007fff8577d3e2 URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 254 29 com.apple.CFNetwork 0x00007fff8577d64e URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874 30 com.apple.CFNetwork 0x00007fff8570479f URLConnectionClient::processEvents() + 121 31 com.apple.CFNetwork 0x00007fff8570457c MultiplexerSource::perform() + 160 32 com.apple.CoreFoundation 0x00007fff80137e91 __CFRunLoopDoSources0 + 1361 33 com.apple.CoreFoundation 0x00007fff80136089 __CFRunLoopRun + 873 34 com.apple.CoreFoundation 0x00007fff8013584f CFRunLoopRunSpecific + 575 35 com.apple.Foundation 0x00007fff83304a18 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270 36 DumpRenderTree 0x0000000100010650 runTest(std::string const&) + 1795 (DumpRenderTree.mm:1276) 37 DumpRenderTree 0x0000000100010b3d runTestingServerLoop() + 145 (DumpRenderTree.mm:609) 38 DumpRenderTree 0x0000000100010f52 dumpRenderTree(int, char const**) + 309 (DumpRenderTree.mm:665) 39 DumpRenderTree 0x0000000100011174 main + 97 (DumpRenderTree.mm:707) 40 DumpRenderTree 0x0000000100002060 start + 52
Asserts at ASSERT(!root->needsLayout()); after doing layout. I don't see this when running the test manually.
Found the problem: it's related to the SVG cloneNode fixes. The style attributes is being synchronized, when using cloneNode() while building the shadow tree. That causes attributeChanged() calls which in turn call SVGElementInstance::invalidateAllInstancesOfElement() marking the shadow tree as "needs to be recreated" while it's creating the tree. Going to fix soon.
Created attachment 61030 [details] Initial patch
Landed in r62931. Thanks Simon for the report, didn't notice that crash locally, only when running gdb on DRT.