The provided test case attempts to load data from 192.168.1.10, so fails to do anything for me. Altering it to load data from the correct hostname results in the images being displayed correctly and no crash occurring using ToT WebKit. Can you please provide a reduced test case or instructions on how to reliably reproduce the crash?
Created attachment 3787 [details] Test content to reproduce the bug The problem as I see it is that when the location.hash is set (in function updatePageNumbers(), called from updateTable(), the variable headingElement is no longer valid. Code from updateTable() function: -- updatePageNumbers(); headingElement.innerHTML = "flowers"; --
Confirmed this one in ToT, moving to p1 since it's a reproducible crash. All you have to do is click the links in the testcase and wait a bit...
This looks like some kind of object lifetime problem in the render tree. The crash is in updateFirstLetter. I don't think the cause is the headingElement issue mentioned above.
I bet this is the same thing as bug 3560.
<rdar://problem/4330356>
*** This bug has been marked as a duplicate of 3560 ***