Confirmed in Webkit r31078 on Leopard. Crash log attached.

Created attachment 19795 [details] crash log

I get a different backtrace with my r31079 debug build and has no mention of : #0 0x02b60964 in WTF::RefCounted<WebCore::StringImpl>::deref (this=0x771defc6) at RefCounted.h:47 #1 0x02b60ad6 in WTF::RefPtr<WebCore::StringImpl>::operator= (this=0x1b3f2580, o=@0xbfffd9c8) at RefPtr.h:88 #2 0x02b60af4 in WebCore::String::operator= (this=0x1b3f2580) at text/PlatformString.h:48 #3 0x02bae264 in WebCore::AtomicString::operator= (this=0x1b3f2580) at text/AtomicString.h:31 #4 0x02ec99eb in WebCore::NamedAttrMap::removeAttribute (this=0x1aa4f4d0, name=@0x3565f1c) at /Users/matt/Code/WebKit/WebCore/dom/NamedAttrMap.cpp:305 #5 0x02c9aed6 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=0x0, ec=@0xbfffda4c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:499 #6 0x02c9b0f3 in WebCore::Element::setAttribute (this=0x1a9b7570, name=@0x3565f1c, value=@0xbfffda8c) at /Users/matt/Code/WebKit/WebCore/dom/Element.cpp:174 #7 0x02d3a0bd in WebCore::HTMLLinkElement::setDisabled (this=0x1a9b7570, disabled=false) at /Users/matt/Code/WebKit/WebCore/html/HTMLLinkElement.cpp:267 #8 0x02e112ca in WebCore::JSHTMLLinkElement::putValueProperty (this=0x1a8d13e0, exec=0xbfffde60, token=0, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:210 #9 0x02e11d76 in KJS::lookupPut<WebCore::JSHTMLLinkElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:245 #10 0x02e11daf in KJS::lookupPut<WebCore::JSHTMLLinkElement, WebCore::JSHTMLElement> (exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2, table=0x351775c, thisObj=0x1a8d13e0) at lookup.h:260 #11 0x02e11563 in WebCore::JSHTMLLinkElement::put (this=0x1a8d13e0, exec=0xbfffde60, propertyName=@0x1aa54d6c, value=0x2) at /Users/matt/Code/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLLinkElement.cpp:202 #12 0x00a74067 in KJS::AssignDotNode::evaluate (this=0x1aa54d60, exec=0xbfffde60) at nodes.cpp:3431 #13 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa54d80, exec=0xbfffde60) at nodes.cpp:3750 #14 0x00a7367d in KJS::IfNode::execute (this=0x1aa54da0, exec=0xbfffde60) at nodes.cpp:3787 #15 0x00a54be5 in statementListExecute (statements=@0x1aa53640, exec=0xbfffde60) at nodes.cpp:3703 #16 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53630, exec=0xbfffde60) at nodes.cpp:3728 #17 0x00a7367d in KJS::IfNode::execute (this=0x1aa53650, exec=0xbfffde60) at nodes.cpp:3787 #18 0x00a54be5 in statementListExecute (statements=@0x1aa53060, exec=0xbfffde60) at nodes.cpp:3703 #19 0x00a54c72 in KJS::BlockNode::execute (this=0x1aa53050, exec=0xbfffde60) at nodes.cpp:3728 #20 0x00a730b7 in KJS::ForNode::execute (this=0x1aa53070, exec=0xbfffde60) at nodes.cpp:3916 #21 0x00a54be5 in statementListExecute (statements=@0x1a9f4020, exec=0xbfffde60) at nodes.cpp:3703 #22 0x00a54c72 in KJS::BlockNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:3728 #23 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1a9f4010, exec=0xbfffde60) at nodes.cpp:4647 #24 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at function.cpp:76 #25 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0b20, exec=0xbfffe0d0, thisObj=0x1a8d0000, args=@0xbfffdf28) at object.cpp:96 #26 0x00abf7ae in KJS::ExpressionNode::resolveAndCall<(KJS::ExpressionNode::CallerType)1> (this=0x1aa73120, exec=0xbfffe0d0, ident=@0x1aa73128, args=0x1aab1410) at nodes.cpp:997 #27 0x00abf880 in KJS::FunctionCallResolveNode::inlineEvaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1061 #28 0x00a90adc in KJS::FunctionCallResolveNode::evaluate (this=0x1aa73120, exec=0xbfffe0d0) at nodes.cpp:1066 #29 0x00a7372f in KJS::ExprStatementNode::execute (this=0x1aa73140, exec=0xbfffe0d0) at nodes.cpp:3750 #30 0x00a54be5 in statementListExecute (statements=@0x1602e850, exec=0xbfffe0d0) at nodes.cpp:3703 #31 0x00a54c72 in KJS::BlockNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:3728 #32 0x00a62760 in KJS::FunctionBodyNode::execute (this=0x1602e840, exec=0xbfffe0d0) at nodes.cpp:4647 #33 0x00a62eca in KJS::FunctionImp::callAsFunction (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at function.cpp:76 #34 0x00a6ca0e in KJS::JSObject::call (this=0x1a8d0ca0, exec=0x4b0571c, thisObj=0x1a8d0000, args=@0xbfffe1ac) at object.cpp:96 #35 0x03119dae in WebCore::JSAbstractEventListener::handleEvent (this=0x1b534b60, ele=0x1b561560, isWindowEvent=true) at /Users/matt/Code/WebKit/WebCore/bindings/js/kjs_events.cpp:105 #36 0x02c65a95 in WebCore::Document::handleWindowEvent (this=0x48c6400, evt=0x1b561560, useCapture=false) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:2577 #37 0x02caf15a in WebCore::EventTargetNode::dispatchWindowEvent (this=0x48c6400, eventType=@0x3565c94, canBubbleArg=false, cancelableArg=false) at /Users/matt/Code/WebKit/WebCore/dom/EventTargetNode.cpp:140 #38 0x02c6a5da in WebCore::Document::implicitClose (this=0x48c6400) at /Users/matt/Code/WebKit/WebCore/dom/Document.cpp:1523 #39 0x02cde732 in WebCore::FrameLoader::checkCallImplicitClose (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1319 #40 0x02cea63a in WebCore::FrameLoader::checkCompleted (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1272 #41 0x02cea785 in WebCore::FrameLoader::loadDone (this=0x48c0200) at /Users/matt/Code/WebKit/WebCore/loader/FrameLoader.cpp:1239 #42 0x02c600ba in WebCore::DocLoader::setLoadInProgress (this=0x15e90410, load=false) at /Users/matt/Code/WebKit/WebCore/loader/DocLoader.cpp:211 #43 0x0311e095 in WebCore::Loader::Host::didFinishLoading (this=0x1aa4c6b0, loader=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/loader.cpp:274 #44 0x030b81cd in WebCore::SubresourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/SubresourceLoader.cpp:193 #45 0x02fb733a in WebCore::ResourceLoader::didFinishLoading (this=0x4b56200) at /Users/matt/Code/WebKit/WebCore/loader/ResourceLoader.cpp:372 #46 0x02fb4af5 in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x1607f580, _cmd=0xc8c5c4, con=0x1b574560) at /Users/matt/Code/WebKit/WebCore/platform/network/mac/ResourceHandleMac.mm:521 #47 0x010048b7 in -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] () #48 0x01004844 in _NSURLConnectionDidFinishLoading () #49 0x025c37f3 in sendDidFinishLoadingCallback () #50 0x025c0920 in _CFURLConnectionSendCallbacks () #51 0x025c00d9 in muxerSourcePerform () #52 0x00ddd62e in CFRunLoopRunSpecific () #53 0x00dddd18 in CFRunLoopRunInMode () #54 0x0175f6a0 in RunCurrentEventLoopInMode () #55 0x0175f4b9 in ReceiveNextEventCommon () #56 0x0175f32d in BlockUntilNextEventMatchingListInMode () #57 0x916647d9 in _DPSNextEvent () #58 0x9166408e in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #59 0x0000806e in ?? () #60 0x9165d0c5 in -[NSApplication run] () #61 0x9162a30a in NSApplicationMain () #62 0x000b9a76 in ?? () Current language: auto; currently c++ (gdb)

(In reply to comment #3) > I get a different backtrace with my r31079 debug build > They're the same after frame 4 of mine (frame 2 of the attached crash log).

I created a somewhat smaller file that still crashed for me (although the javascript seems to dictate which css to use so I couldnt embed the css within the page, and it might also mean your browser might not crash)

Created attachment 19797 [details] Reduction HTML

Created attachment 19798 [details] Reduction CSS

Created attachment 19799 [details] Reduction JS

Created attachment 19800 [details] Reduction HTML with embedded JS

*** Bug 17880 has been marked as a duplicate of this bug. ***

*** Bug 17879 has been marked as a duplicate of this bug. ***

The attached reduction does not crash for me. The original page does.

(In reply to comment #12) > The attached reduction does not crash for me. The original page does. > The attached JS is incomplete - I'm working on further reducing this.

Created attachment 19804 [details] patch

Comment on attachment 19804 [details] patch r=me

Committed revision 31080.

*** Bug 17882 has been marked as a duplicate of this bug. ***

Darin's patch didn't fix this, see bug 17882.

Oops. OK, what my patch fixed may have been something else, then! Reopening.

Comment on attachment 19804 [details] patch Cleared review flag since this patch was landed and the bug was reopened.

I have a fix for this. It's a regression caused by r31060.

Created attachment 19835 [details] Patch + test + ChangeLog

Committed in r31095.