The HasSet is being modified during enumeration: #0 0x037ee823 in WebCore::SVGDocumentExtensions::removeTimeContainer (this=0x1abc73c0, element=0x1abe34d0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGDocumentExtensions.cpp:62 #1 0x0385b1ef in WebCore::SVGSVGElement::~SVGSVGElement (this=0x1abe34d0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGSVGElement.cpp:82 #2 0x033049f8 in WebCore::ContainerNode::removeAllChildren (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/ContainerNode.cpp:113 #3 0x0330810c in WebCore::ContainerNode::~ContainerNode (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/ContainerNode.cpp:119 #4 0x0343ef11 in WebCore::Element::~Element (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/Element.cpp:126 #5 0x0389c139 in WebCore::StyledElement::~StyledElement (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/StyledElement.cpp:125 #6 0x037f71d4 in WebCore::SVGElement::~SVGElement (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGElement.cpp:59 #7 0x0385f47b in WebCore::SVGStyledElement::~SVGStyledElement (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGStyledElement.cpp:57 #8 0x03861401 in WebCore::SVGStyledLocatableElement::~SVGStyledLocatableElement (this=0x1abe49a0, __vtt_parm=0x45abd88) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGStyledLocatableElement.cpp:43 #9 0x03861d96 in WebCore::SVGStyledTransformableElement::~SVGStyledTransformableElement (this=0x1abe49a0, __vtt_parm=0x45abd84) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGStyledTransformableElement.cpp:49 #10 0x038046c9 in WebCore::SVGGElement::~SVGGElement (this=0x1abe49a0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGGElement.cpp:42 #11 0x0322caab in WebCore::TreeShared<WebCore::Node>::removedLastRef (this=0x1abe49a0) at TreeShared.h:99 #12 0x038665ff in WebCore::TreeShared<WebCore::Node>::deref (this=0x1abe49a0) at TreeShared.h:69 #13 0x03877bb6 in WTF::RefPtr<WebCore::SVGElement>::operator= (this=0x1abe1ba0, optr=0x1abab600) at RefPtr.h:118 #14 0x03876f2d in WebCore::SVGUseElement::buildPendingResource (this=0x1abe1a40) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGUseElement.cpp:310 #15 0x038740a5 in WebCore::SVGUseElement::svgAttributeChanged (this=0x1abe1a40, attrName=@0x1abbe94c) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGUseElement.cpp:139 #16 0x037f6944 in WebCore::SVGElement::attributeChanged (this=0x1abe1a40, attr=0x1abbe940, preserveDecls=false) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGElement.cpp:266 #17 0x036b6cda in WebCore::NamedAttrMap::addAttribute (this=0x1abe1bd0, prpAttribute=@0xbfffd590) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/NamedAttrMap.cpp:250 #18 0x0343d773 in WebCore::Element::setAttribute (this=0x1abe1a40, name=@0xbfffd620, value=@0xbfffd61c, ec=@0xbfffd610) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/Element.cpp:525 #19 0x037dc70e in WebCore::SVGAnimationElement::setTargetAttributeAnimatedValue (this=0x1abe27f0, value=@0xbfffd680) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGAnimationElement.cpp:307 #20 0x037d62aa in WebCore::SVGAnimateElement::applyResultsToTarget (this=0x1abe27f0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGAnimateElement.cpp:258 #21 0x039d600f in WebCore::SMILTimeContainer::updateAnimations (this=0x1abc70f0, elapsed=@0xbfffd7d8) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/animation/SMILTimeContainer.cpp:275 #22 0x039d6238 in WebCore::SMILTimeContainer::begin (this=0x1abc70f0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/animation/SMILTimeContainer.cpp:102 #23 0x037ee77d in WebCore::SVGDocumentExtensions::startAnimations (this=0x1abc73c0) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/svg/SVGDocumentExtensions.cpp:72 #24 0x033f39ee in WebCore::Document::implicitClose (this=0x6918600) at /Volumes/Eclair/WebKit-OpenSource.git/WebCore/dom/Document.cpp:1643

Here's a hacky fix: diff --git a/WebCore/svg/SVGDocumentExtensions.cpp b/WebCore/svg/SVGDocumentExtensions.cpp index 98e6d68..c5fc040 100644 --- a/WebCore/svg/SVGDocumentExtensions.cpp +++ b/WebCore/svg/SVGDocumentExtensions.cpp @@ -66,10 +66,19 @@ void SVGDocumentExtensions::startAnimations() { // FIXME: Eventually every "Time Container" will need a way to latch on to some global timer // starting animations for a document will do this "latching" -#if ENABLE(SVG_ANIMATION) - HashSet<SVGSVGElement*>::iterator end = m_timeContainers.end(); - for (HashSet<SVGSVGElement*>::iterator itr = m_timeContainers.begin(); itr != end; ++itr) - (*itr)->timeContainer()->begin(); +#if ENABLE(SVG_ANIMATION) + + // Make a copy, since calling begin() on a timeContainer may call back into + // addTimeContainer/removeTimeContainer and change the HashSet. + HashSet<SVGSVGElement*> timeContainersCopy(m_timeContainers); + + HashSet<SVGSVGElement*>::iterator end = timeContainersCopy.end(); + for (HashSet<SVGSVGElement*>::iterator itr = timeContainersCopy.begin(); itr != end; ++itr) + { + // FIXME: hack + if (m_timeContainers.find(*itr) != m_timeContainers.end()) + (*itr)->timeContainer()->begin(); + } #endif } Note that copying the HashSet is required to avoid modification during enumeration, and the .find() check is required because SVGSVGElements can be destroyed in begin() callbacks. It seems like m_timeContainers needs to hold references to SVG elements.

This hack is probably needed, because internal SVGSVGElement's created during use-symbol-expansion, register themselves as time container, see bug 19432.

<rdar://problem/6236387>

No assertion anymore in ToT, works just fine but this example triggers a bug in the new <use> implementation, that I expected to show up (we had no tests covering this). When width/height is a percentual value, window size changes are not handled correctly. Will fix this soon, needs a reduced testcase.

Oops, I mixed up the bug report - this example works fine now, no problems on resize, no assertions.