The following will cause a crash: <figcaption style="width:1px;"> <svg style="width:intrinsic;"/> In debug builds, the following assert is hit: ASSERTION FAILED: isEmbeddedThroughFrameContainingSVGDocument() ../../third_party/WebKit/Source/WebCore/rendering/svg/RenderSVGRoot.cpp(177) : virtual WebCore::LayoutUnit WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const Original bug: http://crbug.com/126416
Crashes ToT, but not Safari 5.1.5 for me. Release build stack trace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010c31ee38 WebCore::RenderSVGRoot::computeReplacedLogicalWidth(bool) const + 344 1 com.apple.WebCore 0x000000010cb53295 WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderRegion*, WebCore::FractionalLayoutUnit) + 485 2 com.apple.WebCore 0x000000010c1b2c0a WebCore::RenderBox::computeLogicalWidth() + 26 3 com.apple.WebCore 0x000000010c31eb09 WebCore::RenderSVGRoot::layout() + 169 4 com.apple.WebCore 0x000000010cb4c461 WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 913 ...
The assert at the end of RenderSVGRoot::computeReplacedLogicalWidth() is wrong: we can also reach that point for inline SVGs when the width attribute doesn't establish the viewport (see SVGSVGElement::widthAttributeEstablishesViewport). The release crash happens in return document()->frame()->ownerRenderer()->availableLogicalWidth() because ownerRenderer() is NULL for the case of inline SVG. This also seems to affect RenderSVGRoot::computeReplacedLogicalHeight(). I guess the question is what to do when a) widthAttributeEstablishesViewport() == false and b) the SVG element is not embedded via object/iframe Fall back to RenderReplace:::computeReplacedLogicalWidth?
Created attachment 148647 [details] Minimized crasher
Created attachment 149049 [details] Patch
Comment on attachment 149049 [details] Patch Clearing flags on attachment: 149049 Committed r121041: <http://trac.webkit.org/changeset/121041>
All reviewed patches have been landed. Closing bug.