Similar to bug 5661, after general browsing for a period of time (longer than required for 5661 but still inevitable), Safari running TOT WebKit will crash with the following: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 com.apple.CoreFoundation 0x90771be0 CFArraySetValueAtIndex + 56 1 com.apple.WebCore 0x015d4738 deleteTimer(KWQObjectTimer*) + 72 (KWQObject.mm:201) 2 com.apple.WebCore 0x015d47a8 QObject::killTimer(int) + 88 (KWQObject.mm:215) 3 com.apple.WebCore 0x016baf88 DOM::DocumentImpl::dispatchImageLoadEventsNow() + 60 (dom_docimpl.cpp:2550) 4 com.apple.WebCore 0x015d4cac sendDeferredTimerEvent(void const*, void*) + 64 (KWQObject.mm:239) 5 com.apple.CoreFoundation 0x9076c954 CFArrayApplyFunction + 416 6 com.apple.WebCore 0x015d48d0 sendDeferredTimerEvents(__CFRunLoopTimer*, void*) + 112 (KWQObject.mm:254) 7 com.apple.CoreFoundation 0x90770ae0 __CFRunLoopDoTimer + 184 8 com.apple.CoreFoundation 0x9075d458 __CFRunLoopRun + 1680 9 com.apple.CoreFoundation 0x9075ca0c CFRunLoopRunSpecific + 268 10 com.apple.HIToolbox 0x931831e0 RunCurrentEventLoopInMode + 264 11 com.apple.HIToolbox 0x93182874 ReceiveNextEventCommon + 380 12 com.apple.HIToolbox 0x931826e0 BlockUntilNextEventMatchingListInMode + 96 13 com.apple.AppKit 0x93681904 _DPSNextEvent + 384 14 com.apple.AppKit 0x936815c8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 15 com.apple.Safari 0x00006ef0 0x1000 + 24304 16 com.apple.AppKit 0x9367db0c -[NSApplication run] + 472 17 com.apple.AppKit 0x9376e618 NSApplicationMain + 452 18 com.apple.Safari 0x0000265c 0x1000 + 5724 19 com.apple.Safari 0x00056d1c 0x1000 + 351516
Created attachment 4633 [details] patch that changes how deletion works with deferral, should fix crash Needs a little testing.
I am rolling back Darin's original patch, the one that caused this crash. We are going to get this code in better shape before we commit.