Created attachment 106130 [details] Repro Repro: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:x="x"> <foreignObject id="foreignObject"> <x:div id="x"></x:div> </foreignObject> <use id="use" xlink:href="#foreignObject" /> <use xlink:href="#use"/> <script> document.documentElement.insertBefore(document.getElementById("x")); </script> </svg> Not sure what happens exactly, but the foreignObject element ends up with a NULL shadow tree element, which triggers ASSERTS and a NULL ptr: void SVGElementInstance::invalidateAllInstancesOfElement(SVGElement* element) { if (!element || !element->inDocument()) return; if (element->isStyled() && static_cast<SVGStyledElement*>(element)->instanceUpdatesBlocked()) return; const HashSet<SVGElementInstance*>& set = element->instancesForElement(); if (set.isEmpty()) return; // Mark all use elements referencing 'element' for rebuilding const HashSet<SVGElementInstance*>::const_iterator end = set.end(); for (HashSet<SVGElementInstance*>::const_iterator it = set.begin(); it != end; ++it) { ASSERT((*it)->shadowTreeElement()); ASSERT((*it)->shadowTreeElement()->correspondingElement()); ASSERT((*it)->correspondingElement() == element); (*it)->shadowTreeElement()->setCorrespondingElement(0); if (SVGUseElement* element = (*it)->correspondingUseElement()) { ASSERT(element->inDocument()); element->invalidateShadowTree(); } } // Be sure to rebuild use trees, if needed element->document()->updateLayoutIgnorePendingStylesheets(); } id: chrome.dll!WebCore::SVGElement::ensureRareSVGData ReadAV@NULL (b5516c4ed1ba6200134db33c80c5ed49) description: Attempt to read from unallocated NULL pointer+0x27 in chrome.dll!WebCore::SVGElement::ensureRareSVGData stack: chrome.dll!WebCore::SVGElement::ensureRareSVGData chrome.dll!WebCore::SVGElement::setCorrespondingElement chrome.dll!WebCore::SVGElementInstance::invalidateAllInstancesOfElement chrome.dll!WebCore::SVGStyledElement::childrenChanged chrome.dll!WebCore::ContainerNode::removeChild chrome.dll!WebCore::ContainerNode::appendChild chrome.dll!WebCore::ContainerNode::insertBefore chrome.dll!WebCore::Node::insertBefore chrome.dll!WebCore::V8Node::insertBeforeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Chromium: https://code.google.com/p/chromium/issues/detail?id=95201
This was fixed at some point and does not crash Chromium ToT. It does crash Chrome 19, but that does not have the fix in it, to my knowledge. I believe the relevant changes are: Initial patch: <http://trac.webkit.org/changeset/109299> And follow up: <http://trac.webkit.org/changeset/109333> These disallow foreign object inside a <use> element, as the spec demands.