Created attachment 215102 [details] Repro When tearing down a document, we don't cancel the document's SMIL timers until the document is garbage collected. This can lead to the timers firing after the document is no longer active. A simple repro is attached; running it in DRT multiple times in a row without garbage collecting between runs will crash.
Created attachment 215103 [details] Patch
A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController().
(In reply to comment #2) > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do.
(In reply to comment #3) > (In reply to comment #2) > > A analogous call to accessSVGExtensions()->pauseAnimations() is needed in Document::dropChildren(). This will roughly match the model used by clearScriptedAnimationController(). > > Sounds like we need a shared function then, if there is a list of things that both prepareForDestruction and dropChildren do. There doesn't appear to be much in common. Currently, I think clearScriptedAnimationController() is the only function that's called by both of them. Although, I'm kind of curious if maybe there should be more.
Created attachment 215706 [details] Patch
Comment on attachment 215706 [details] Patch Clearing flags on attachment: 215706 Committed r158627: <http://trac.webkit.org/changeset/158627>
All reviewed patches have been landed. Closing bug.