Created attachment 17620 [details] WebArchive of crashing page

Confirmed with r28273. WebArchive crashed every time for me. Safari(12427,0xa01c3f60) malloc: *** error for object 0x1ac889e0: incorrect checksum for freed object - object was probably modified after being freed. Thread 0 Crashed: 0 libSystem.B.dylib 0x911ec14d szone_free + 1747 1 libSystem.B.dylib 0x911eb9ed free + 106 2 com.apple.JavaScriptCore 0x004205da WTF::fastFree(void*) + 86 (FastMalloc.cpp:172) 3 com.apple.JavaScriptCore 0x004bc1ef jsRegExpCompile(unsigned short const*, int, JSRegExpIgnoreCaseOption, JSRegExpMultilineOption, unsigned int*, char const**) + 539 (pcre_compile.cpp:2856) 4 com.apple.JavaScriptCore 0x004290ad KJS::RegExp::RegExp(KJS::UString const&, KJS::UString const&) + 417 (regexp.cpp:70) 5 com.apple.JavaScriptCore 0x004290db KJS::RegExp::RegExp(KJS::UString const&, KJS::UString const&) + 31 (regexp.cpp:71) 6 com.apple.JavaScriptCore 0x0044b553 KJS::RegExpObjectImp::construct(KJS::ExecState*, KJS::List const&) + 323 (regexp_object.cpp:452) 7 com.apple.JavaScriptCore 0x0049970b KJS::NewExprNode::inlineEvaluate(KJS::ExecState*) + 379 (nodes.cpp:886) 8 com.apple.JavaScriptCore 0x00451ac6 KJS::NewExprNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:892) 9 com.apple.JavaScriptCore 0x00443fd4 KJS::ArgumentListNode::evaluateList(KJS::ExecState*, KJS::List&) + 54 (nodes.cpp:843) 10 com.apple.JavaScriptCore 0x004987cf KJS::ArgumentsNode::evaluateList(KJS::ExecState*, KJS::List&) + 63 (nodes.h:511) 11 com.apple.JavaScriptCore 0x00499008 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 494 (nodes.cpp:1196) 12 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 13 com.apple.JavaScriptCore 0x0043f656 KJS::ReturnNode::execute(KJS::ExecState*) + 268 (nodes.cpp:4108) 14 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 15 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 16 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 17 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 18 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 19 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 20 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 21 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 22 com.apple.JavaScriptCore 0x004417e7 KJS::AssignLocalVarNode::evaluate(KJS::ExecState*) + 229 (nodes.cpp:3197) 23 com.apple.JavaScriptCore 0x00444988 KJS::ExpressionNode::evaluateToBoolean(KJS::ExecState*) + 30 (nodes.cpp:235) 24 com.apple.JavaScriptCore 0x00440892 KJS::IfNode::execute(KJS::ExecState*) + 136 (nodes.cpp:3743) 25 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 26 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 27 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 28 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 29 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 30 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 31 com.apple.JavaScriptCore 0x00439c86 KJS::ArrayProtoFuncForEach::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 442 (array_object.cpp:640) 32 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 33 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 34 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 35 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 36 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 37 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 38 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 39 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 40 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 41 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 42 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 43 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 44 com.apple.JavaScriptCore 0x00443fd4 KJS::ArgumentListNode::evaluateList(KJS::ExecState*, KJS::List&) + 54 (nodes.cpp:843) 45 com.apple.JavaScriptCore 0x004987cf KJS::ArgumentsNode::evaluateList(KJS::ExecState*, KJS::List&) + 63 (nodes.h:511) 46 com.apple.JavaScriptCore 0x00499008 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 494 (nodes.cpp:1196) 47 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 48 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 49 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 50 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 51 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 52 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 53 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 54 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 55 com.apple.JavaScriptCore 0x00439c86 KJS::ArrayProtoFuncForEach::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 442 (array_object.cpp:640) 56 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 57 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 58 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 59 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 60 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 61 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 62 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 63 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 64 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 65 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 66 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 67 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 68 com.apple.JavaScriptCore 0x00443fd4 KJS::ArgumentListNode::evaluateList(KJS::ExecState*, KJS::List&) + 54 (nodes.cpp:843) 69 com.apple.JavaScriptCore 0x004987cf KJS::ArgumentsNode::evaluateList(KJS::ExecState*, KJS::List&) + 63 (nodes.h:511) 70 com.apple.JavaScriptCore 0x00499008 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 494 (nodes.cpp:1196) 71 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 72 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 73 com.apple.JavaScriptCore 0x004408f6 KJS::IfNode::execute(KJS::ExecState*) + 236 (nodes.cpp:3748) 74 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 75 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 76 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 77 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 78 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 79 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 80 com.apple.JavaScriptCore 0x00439c86 KJS::ArrayProtoFuncForEach::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 442 (array_object.cpp:640) 81 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 82 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 83 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 84 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 85 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 86 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 87 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 88 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 89 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 90 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 91 com.apple.JavaScriptCore 0x004993cd KJS::FunctionCallResolveNode::inlineEvaluate(KJS::ExecState*) + 655 (nodes.cpp:1005) 92 com.apple.JavaScriptCore 0x00450f98 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1016) 93 com.apple.JavaScriptCore 0x00498e4a KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 48 (nodes.cpp:1178) 94 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 95 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 96 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 97 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 98 com.apple.JavaScriptCore 0x0043dad9 KJS::TryNode::execute(KJS::ExecState*) + 137 (nodes.cpp:4389) 99 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 100 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 101 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 102 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 103 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 104 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 105 com.apple.JavaScriptCore 0x0045f82a KJS::FunctionProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1400 (function_object.cpp:124) 106 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 107 com.apple.JavaScriptCore 0x00499122 KJS::FunctionCallDotNode::inlineEvaluate(KJS::ExecState*) + 776 (nodes.cpp:1203) 108 com.apple.JavaScriptCore 0x004500fc KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:1209) 109 com.apple.JavaScriptCore 0x0043f656 KJS::ReturnNode::execute(KJS::ExecState*) + 268 (nodes.cpp:4108) 110 com.apple.JavaScriptCore 0x004408f6 KJS::IfNode::execute(KJS::ExecState*) + 236 (nodes.cpp:3748) 111 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 112 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 113 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 114 com.apple.JavaScriptCore 0x0041447c KJS::FunctionImp::execute(KJS::ExecState*) + 38 (function.cpp:253) 115 com.apple.JavaScriptCore 0x00447604 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 384 (function.cpp:94) 116 com.apple.JavaScriptCore 0x004322ec KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 222 (object.cpp:95) 117 com.apple.JavaScriptCore 0x0043e929 KJS::FunctionImp::construct(KJS::ExecState*, KJS::List const&) + 155 (function.cpp:243) 118 com.apple.JavaScriptCore 0x0049970b KJS::NewExprNode::inlineEvaluate(KJS::ExecState*) + 379 (nodes.cpp:886) 119 com.apple.JavaScriptCore 0x00451ac6 KJS::NewExprNode::evaluate(KJS::ExecState*) + 30 (nodes.cpp:892) 120 com.apple.JavaScriptCore 0x00440a09 KJS::ExprStatementNode::execute(KJS::ExecState*) + 133 (nodes.cpp:3720) 121 com.apple.JavaScriptCore 0x0042147c KJS::statementListExecute(WTF::Vector<WTF::RefPtr<KJS::StatementNode>, 0ul>&, KJS::ExecState*) + 108 (nodes.cpp:3662) 122 com.apple.JavaScriptCore 0x004215a5 KJS::BlockNode::execute(KJS::ExecState*) + 45 (nodes.cpp:3696) 123 com.apple.JavaScriptCore 0x0043da37 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 47 (nodes.cpp:4582) 124 com.apple.JavaScriptCore 0x0045d8a4 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 834 (interpreter.cpp:381) 125 com.apple.WebCore 0x02316765 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 235 (kjs_proxy.cpp:87) 126 com.apple.WebCore 0x01f3fea4 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 92 (FrameLoader.cpp:759) 127 com.apple.WebCore 0x01fbb222 WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 308 (HTMLTokenizer.cpp:520) 128 com.apple.WebCore 0x01fbcd68 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1466 (HTMLTokenizer.cpp:470) 129 com.apple.WebCore 0x01fbd26f WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 929 (HTMLTokenizer.cpp:319) 130 com.apple.WebCore 0x01fbf106 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6488 (HTMLTokenizer.cpp:1229) 131 com.apple.WebCore 0x01fbf8f3 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1221 (HTMLTokenizer.cpp:1445) 132 com.apple.WebCore 0x01fbbc24 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 1048 (HTMLTokenizer.cpp:1758) 133 com.apple.WebCore 0x01e273f4 WebCore::CachedScript::checkNotify() + 68 (CachedScript.cpp:97) 134 com.apple.WebCore 0x01e27555 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 279 (CachedScript.cpp:89) 135 com.apple.WebCore 0x023250ac WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 340 (loader.cpp:116) 136 com.apple.WebCore 0x0229d793 WebCore::SubresourceLoader::didFinishLoading() + 169 (SubresourceLoader.cpp:195) 137 com.apple.WebCore 0x0223f63c WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:362) 138 com.apple.WebCore 0x0223d07c -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 116 (ResourceHandleMac.mm:456) 139 com.apple.Foundation 0x9372b357 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 140 com.apple.Foundation 0x9372b2e4 _NSURLConnectionDidFinishLoading + 68 141 com.apple.CFNetwork 0x966e6adf sendDidFinishLoadingCallback + 148 142 com.apple.CFNetwork 0x966e39d2 _CFURLConnectionSendCallbacks + 1908 143 com.apple.CFNetwork 0x966e31e3 muxerSourcePerform + 283 144 com.apple.CoreFoundation 0x9063b64e CFRunLoopRunSpecific + 3166 145 com.apple.CoreFoundation 0x9063bd38 CFRunLoopRunInMode + 88 146 com.apple.HIToolbox 0x968f78a4 RunCurrentEventLoopInMode + 283 147 com.apple.HIToolbox 0x968f76bd ReceiveNextEventCommon + 374 148 com.apple.HIToolbox 0x968f7531 BlockUntilNextEventMatchingListInMode + 106 149 com.apple.AppKit 0x90746d5b _DPSNextEvent + 657 150 com.apple.AppKit 0x907466a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 151 com.apple.Safari 0x00009d4e 0x1000 + 36174 152 com.apple.AppKit 0x9073f6d1 -[NSApplication run] + 795 153 com.apple.AppKit 0x9070c9ba NSApplicationMain + 574

I saw a different crash with WebKit nightly r28314: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000008 Thread 0 Crashed: 0 <<00000000>> 0x00000008 0 + 8 1 com.apple.WebCore 0x011cfe5c WebCore::HTMLImageElement::parseMappedAttribute(WebCore::MappedAttribute*) + 140 2 com.apple.WebCore 0x014eb024 WebCore::StyledElement::attributeChanged(WebCore::Attribute*, bool) + 500 3 com.apple.WebCore 0x0115f790 WebCore::Element::setAttributeMap(WebCore::NamedAttrMap*) + 528 4 com.apple.WebCore 0x011f1038 WebCore::HTMLParser::parseToken(WebCore::Token*) + 1080 5 com.apple.WebCore 0x01204ce4 WebCore::HTMLTokenizer::processToken() + 852 6 com.apple.WebCore 0x0120971c WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 7740 7 com.apple.WebCore 0x0120a06c WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1148 8 com.apple.WebCore 0x01203910 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 784 9 com.apple.WebCore 0x01087718 WebCore::CachedScript::checkNotify() + 88 10 com.apple.WebCore 0x01087b30 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 336 11 com.apple.WebCore 0x0156b5ec WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 412 12 com.apple.WebCore 0x014ebed0 WebCore::SubresourceLoader::didFinishLoading() + 96 13 com.apple.WebCore 0x0149a464 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 100 14 com.apple.Foundation 0x92c187ec -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 188 15 com.apple.Foundation 0x92c16a58 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 556 16 com.apple.Foundation 0x92c167b0 _sendCallbacks + 156 17 com.apple.CoreFoundation 0x907de42c __CFRunLoopDoSources0 + 384 18 com.apple.CoreFoundation 0x907dd95c __CFRunLoopRun + 452 19 com.apple.CoreFoundation 0x907dd3dc CFRunLoopRunSpecific + 268 20 com.apple.HIToolbox 0x9329eb20 RunCurrentEventLoopInMode + 264 21 com.apple.HIToolbox 0x9329e12c ReceiveNextEventCommon + 244 22 com.apple.HIToolbox 0x9329e020 BlockUntilNextEventMatchingListInMode + 96 23 com.apple.AppKit 0x937a4bc4 _DPSNextEvent + 384 24 com.apple.AppKit 0x937a4888 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 25 com.apple.Safari 0x00006740 0x1000 + 22336 26 com.apple.AppKit 0x937a0dcc -[NSApplication run] + 472 27 com.apple.AppKit 0x93891974 NSApplicationMain + 452 28 com.apple.Safari 0x0005c77c 0x1000 + 374652 29 com.apple.Safari 0x0005c624 0x1000 + 374308

WebKit nightly r28233 crashed for me this way (loading the webarchive attachment; same test method for Comment #3): Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000010 Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0045d3ec WTF::fastFree(void*) + 1772 1 com.apple.WebCore 0x01021e4c WebCore::FreeArenaList(WebCore::ArenaPool*, WebCore::Arena*, bool) + 92 2 com.apple.WebCore 0x011398b4 WebCore::Document::detach() + 372 3 com.apple.WebCore 0x01189894 WebCore::Frame::setView(WebCore::FrameView*) + 132 4 com.apple.WebCore 0x0161ff4c -[WebCoreFrameBridge createFrameViewWithNSView:marginWidth:marginHeight:] + 76 5 com.apple.WebKit 0x0032f660 WebFrameLoaderClient::makeDocumentView() + 400 6 com.apple.WebCore 0x011a7e00 WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) + 480 7 com.apple.WebCore 0x011a85e0 WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::CachedPage>) + 176 8 com.apple.WebCore 0x011472d8 WebCore::DocumentLoader::commitIfReady() + 72 9 com.apple.WebCore 0x0114736c WebCore::DocumentLoader::commitLoad(char const*, int) + 60 10 com.apple.WebCore 0x014acd80 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 80 11 com.apple.WebCore 0x013d9564 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 52 12 com.apple.WebCore 0x014a8a38 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 168 13 com.apple.Foundation 0x92c18574 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 14 com.apple.Foundation 0x92c16a14 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 15 com.apple.Foundation 0x92c167b0 _sendCallbacks + 156 16 com.apple.CoreFoundation 0x907de42c __CFRunLoopDoSources0 + 384 17 com.apple.CoreFoundation 0x907dd95c __CFRunLoopRun + 452 18 com.apple.CoreFoundation 0x907dd3dc CFRunLoopRunSpecific + 268 19 com.apple.HIToolbox 0x9329eb20 RunCurrentEventLoopInMode + 264 20 com.apple.HIToolbox 0x9329e12c ReceiveNextEventCommon + 244 21 com.apple.HIToolbox 0x9329e020 BlockUntilNextEventMatchingListInMode + 96 22 com.apple.AppKit 0x937a4bc4 _DPSNextEvent + 384 23 com.apple.AppKit 0x937a4888 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 24 com.apple.Safari 0x00006740 0x1000 + 22336 25 com.apple.AppKit 0x937a0dcc -[NSApplication run] + 472 26 com.apple.AppKit 0x93891974 NSApplicationMain + 452 27 com.apple.Safari 0x0005c77c 0x1000 + 374652 28 com.apple.Safari 0x0005c624 0x1000 + 374308

With a local debug build of WebKit r28320 with Safari 3.0.4 (523.12) on Mac OS X 10.4.11 (8S165), I get this console output loading the webarchive for the first time: Safari(7737,0xa000ed88) malloc: *** error for object 0x8415510: incorrect checksum for freed object - object was probably modified after being freed, break at szone_error to debug Safari(7737,0xa000ed88) malloc: *** set a breakpoint in szone_error to debug The next reload caused a crash: Thread 6 Crashed: 0 <<00000000>> 0xfffeff20 objc_msgSend_rtp + 32 1 com.apple.CoreFoundation 0x907ef04c __CFStreamDeallocate + 484 2 com.apple.CoreFoundation 0x907bde94 _CFRelease + 240 3 com.apple.CFNetwork 0x90f9ded0 shutdownConnectionStreams + 76 4 com.apple.CoreFoundation 0x907bde94 _CFRelease + 240 5 com.apple.Foundation 0x92bd6d30 -[NSMutableArray removeObject:] + 100 6 com.apple.Foundation 0x92c12c00 -[NSConnectionHTTPURLProtocol createStream:] + 584 7 com.apple.Foundation 0x92c12884 -[NSConnectionHTTPURLProtocol continueBeginLoadInBackgroundAfterCreatingHTTPRequest] + 76 8 com.apple.Foundation 0x92c0fb28 -[NSConnectionHTTPURLProtocol startOriginLoad] + 48 9 com.apple.Foundation 0x92c0f7e4 -[NSURLConnection(NSURLConnectionInternal) _performOriginLoad] + 328 10 com.apple.Foundation 0x92c0d898 _resourceLoaderPerform + 224 11 com.apple.CoreFoundation 0x907de42c __CFRunLoopDoSources0 + 384 12 com.apple.CoreFoundation 0x907dd95c __CFRunLoopRun + 452 13 com.apple.CoreFoundation 0x907dd3dc CFRunLoopRunSpecific + 268 14 com.apple.Foundation 0x92c0d5f8 +[NSURLConnection(NSURLConnectionInternal) _resourceLoadLoop:] + 264 15 com.apple.Foundation 0x92be60c0 forkThreadForFunction + 108 16 libSystem.B.dylib 0x9002bd08 _pthread_body + 96

This is the URL of the webarchive: http://www.news.com/?tag=hdrgif

I'm probably stating the obvious, but I think there are multiple issues here.

<rdar://problem/5625221>

Narrowed down the "malloc" console errors to this script tag: <script src="http://i.i.com.com/cnwk.1d/html/js/redball/global/compressed/cnet.global.framework.js" type="text/javascript"></script> The contents of the script need to be narrowed down further.

(In reply to comment #9) > The contents of the script need to be narrowed down further. I'm using this script with <http://delta.tigris.org/> to narrow down the remaining JavaScript (which allows enough time for the browser to start, load the page to test for the error message, then get killed and the testing to continue): #!/bin/sh (sleep 4; ps auwwx | grep Safari | grep /tmp/delta/bar.html | grep -v grep | cut -c10-15 | xargs kill -HUP) & FOO=`/Users/ddkilzer/Projects/Cocoa/WebKit/WebKitTools/Scripts/run-safari --debug /tmp/delta/bar.html 2>&1 | grep 'error for object'` if [ ! -z "$FOO" ]; then echo "$FOO" exit 0; fi exit 1; To "unpack" the packed JavaScript, I used a couple of well-placed alert() statements, loaded the page manually, copied the string of JavaScript code that would be sent to eval(), then replaced it in the original script and verified that it still reproduced the issue. Also used this JavaScript pretty-printer to clean up the unpacked JavaScript for delta: http://elfz.laacz.lv/beautify/

These backtraces look like different symptoms of a memory trasher to me, rather than looking like multiple issues.

This is a compiled regular expression that's overrunning the buffer. ERR7. This is the regular expression: "\\[[\"'\\s]{0,1}([\\w-]*)[\"'\\s]{0,1}([\\W]{0,1}=){0,2}[\"'\\s]{0,1}([\\w-]*)[\"'\\s]{0,1}\\]$"

Here's a reduction in JavaScript. /\[["'\s]{0,1}([\w-]*)["'\s]{0,1}([\W]{0,1}=){0,2}["'\s]{0,1}([\w-]*)["'\s]{0,1}\]$/ Reducing further.

Created attachment 17678 [details] Partial reduction [WIP] (WILL CRASH) Work-in-progress partial reduction. A debug build of WebKit is apparently required to see the "malloc" error messages.

Here's a further reduction: /(x){0,2}/

Comment on attachment 17678 [details] Partial reduction [WIP] (WILL CRASH) See Comment #12, Comment #13 and Comment #15.

I have a fix now. I don't see how this could be a regression, though. Looks like a long-standing PCRE bug.

Created attachment 17680 [details] patch -- no time for ChangeLog or test case right now; be back later

Created attachment 17689 [details] patch

*** Bug 16284 has been marked as a duplicate of this bug. ***

(In reply to comment #7) > I'm probably stating the obvious, but I think there are multiple issues here. (In reply to comment #11) > These backtraces look like different symptoms of a memory trasher to me, rather > than looking like multiple issues. After applying the patch in Attachment #17689 [details], I got the crash in Bug 16288 (after a few reloads).

(In reply to comment #21) > After applying the patch in Attachment #17689 [details] [edit], I got the crash in Bug 16288 > (after a few reloads). Kilzer 1, Adler 0! I'll take a look at that crash now.

The problem I hit was yet another. An assertion inside Safari. Presumably because I'm using a debug version of Safari.

Comment on attachment 17689 [details] patch r=me

Comment on attachment 17689 [details] patch OK. I landed the patch for the first bug, but I can't yet reproduce other crashes.

(In reply to comment #25) > (From update of attachment 17689 [details] [edit]) > OK. I landed the patch for the first bug, but I can't yet reproduce other > crashes. I think the majority of the crashes were related to the memory smasher, but I'll simply file new bugs if I see them again (like Bug 16288).

(In reply to comment #25) > (From update of attachment 17689 [details] [edit]) > OK. I landed the patch for the first bug, but I can't yet reproduce other > crashes. http://bugs.webkit.org/show_bug.cgi?id=16288

(In reply to comment #27) > (In reply to comment #25) > > (From update of attachment 17689 [details] [edit] [edit]) > > OK. I landed the patch for the first bug, but I can't yet reproduce other > > crashes. > > http://bugs.webkit.org/show_bug.cgi?id=16288 Err...how about: http://trac.webkit.org/projects/webkit/changeset/28395

(In reply to comment #4) > WebKit nightly r28233 crashed for me this way (loading the webarchive > attachment; same test method for Comment #3): > > Exception: EXC_BAD_ACCESS (0x0001) > Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000010 > > Thread 0 Crashed: > 0 com.apple.JavaScriptCore 0x0045d3ec WTF::fastFree(void*) + 1772 > 1 com.apple.WebCore 0x01021e4c > WebCore::FreeArenaList(WebCore::ArenaPool*, WebCore::Arena*, bool) + 92 > 2 com.apple.WebCore 0x011398b4 WebCore::Document::detach() > + 372 Filed Bug 16303 to track this crash.