Chromium: http://code.google.com/p/chromium/issues/detail?id=108057 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <text id="text"></text> <tref xlink:href="#text"/> <script> document.documentElement.replaceChild( document.createElement('anything'), // inserted element document.getElementById('text')); // removed element </script> </svg> stack: chrome.dll!WebCore::SVGTRefElement::updateReferencedText chrome.dll!WebCore::SubtreeModificationEventListener::handleEvent chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::Node::handleLocalEvents chrome.dll!WebCore::EventDispatcher::dispatchEvent chrome.dll!WebCore::EventDispatchMediator::dispatchEvent chrome.dll!WebCore::EventDispatcher::dispatchEvent chrome.dll!WebCore::ScopedEventQueue::dispatchEvent chrome.dll!WebCore::ScopedEventQueue::enqueueEventDispatchMediator chrome.dll!WebCore::EventDispatcher::dispatchScopedEvent chrome.dll!WebCore::Node::dispatchScopedEvent chrome.dll!WebCore::Node::dispatchSubtreeModifiedEvent chrome.dll!WebCore::ContainerNode::replaceChild chrome.dll!WebCore::Node::replaceChild chrome.dll!WebCore::V8Node::replaceChildCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
The DOMSubtreeModifiedEvent listener is still active on the target's parent after the target is removed. We need to catch the target removal event and deactivate any associated listeners. I have a first-pass at this following up. Additionally: * on target removal, mark the tref as resource-pending again, to reattach if the same id is added at a later time (I believe this is desirable) * move the DOMSubtreeModifiedEvent to the target element itself to keep things simple (I think we're only interested in catching updates to the target element, and the event appears to be dispatched to it too - hope I'm not missing something here)
Created attachment 121727 [details] Patch
Created attachment 122019 [details] Reduced test.
Created attachment 127225 [details] Patch Updated after the recent shadow tree changes.
Comment on attachment 127225 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=127225&action=review Looks just great! r=me. > Source/WebCore/svg/SVGTRefElement.cpp:185 > + Node* container = shadowRootList()->oldestShadowRoot()->firstChild(); oldestShadowRoot, and shadowRootList are guaranteed non-null? If yes, there's nothing hold back a cq+.
(In reply to comment #5) > > Source/WebCore/svg/SVGTRefElement.cpp:185 > > + Node* container = shadowRootList()->oldestShadowRoot()->firstChild(); > > oldestShadowRoot, and shadowRootList are guaranteed non-null? Yes, SVGTRefElement::create() calls createShadowSubtree() which initializes the shadow root plumbing. > If yes, there's nothing hold back a cq+. Thanks!
Comment on attachment 127225 [details] Patch r=me.
Comment on attachment 127225 [details] Patch Clearing flags on attachment: 127225 Committed r108082: <http://trac.webkit.org/changeset/108082>
All reviewed patches have been landed. Closing bug.