This is what I get going to the above URL with TOT: EXC_BAD_ACCESS (0x0001) KERN_PROTECTION_FAILURE (0x0002) at 0x003a0033 Thread 0 Crashed: 0 WebCore::TreeShared<WebCore::Node>::ref() + 32 (Shared.h:51) 1 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 304 (EventTargetNode.cpp:179) 2 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 348 (EventTargetNode.cpp:292) 3 WebCore::EventTargetNode::dispatchHTMLEvent(WebCore::AtomicString const&, bool, bool) + 172 (EventTargetNode.cpp:481) 4 WebCore::HTMLScriptElement::notifyFinished(WebCore::CachedResource*) + 244 (HTMLScriptElement.cpp:155) 5 WebCore::CachedScript::checkNotify() + 112 (CachedScript.cpp:108) 6 WebCore::CachedScript::data(WTF::Vector<char, (unsigned long)0>&, bool) + 184 (CachedScript.cpp:100) 7 WebCore::Loader::receivedAllData(WebCore::ResourceLoader*, NSData*) + 464 (loader.cpp:138) 8 -[WebCoreResourceLoaderImp finishJobAndHandle:] + 180 (WebCoreResourceLoaderImp.mm:98) 9 -[WebCoreResourceLoaderImp finishWithData:] + 196 (WebCoreResourceLoaderImp.mm:130) ...
The problem appears to be a script that deletes its own <script> element. Looks like the fix is for HTMLScriptElement::notifyFinished() to protect itself with a ref()/deref() (it will also be cleaner to change the cs->deref(this) to m_cachedScript->deref(this) only if m_cachedScript is still non-0). Other callers to HTMLScriptElement::evaluateScript() appear to be safe, since it's the last thing they call.
Created attachment 10758 [details] Reduction (will crash) Crashes run-webkit-tests immediately, in Safari you need to reload to get the crash (might be a good junk/bad junk thing).
radar 4701860
*** Bug 11837 has been marked as a duplicate of this bug. ***
Fixed (completely independently of this Bugzilla bug) by Anders in r18335.
(In reply to comment #3) > radar 4701860 Per r18335, also: <rdar://problem/4726407> [9A255] Crash in WebCore::EventTargetNode::dispatchEvent http://trac.webkit.org/projects/webkit/changeset/18335