The following SVG triggers a deref of a NULL shadowTree in updateContainerSize:
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<use xlink:href="url(#use)" >
Has this been fixed elsewhere? It's no longer crashing.
Tested with WebKit r72986.
Yeah, it looks like this got fixed in one of the recent use element patches over the last few months. If I had to guess I'd say it was probably: http://trac.webkit.org/changeset/69936