I get the following crash when I am signed in to Google and I open the above URL, wait for it to finish loading, then reload. It doesn't happen when I'm not signed in nor was Alexey able to reproduce it when signed in to his account. However, it does not seem to depend on a specific search result, as I have gotten it with different searches. From what I saw in gdb, the crash happens because the HTMLImageElementImpl called in frame 8 is garbage, so supposedly it was deallocated. I got other similar crashes where the backtrace was different (e.g. when going back from a search result to the results page) but the cause was again an HTMLElement pointing to a bad ElementImpl. I am able to reproduce reliably with r13093 and later builds but not with r13078 or earlier. Thread 0 Crashed: 0 com.apple.WebCore 0x01bcd1e4 KXMLCore::HashTable<WebCore::NodeListImpl*, WebCore::NodeListImpl*, KXMLCore::IdentityExtractor<WebCore::NodeListImpl*>, KXMLCore::PtrHash<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 36 (HashTable.h:277) 1 com.apple.WebCore 0x01bcd250 KXMLCore::HashSet<WebCore::NodeListImpl*, KXMLCore::PtrHash<WebCore::NodeListImpl*>, KXMLCore::HashTraits<WebCore::NodeListImpl*> >::end() + 48 (HashSet.h:133) 2 com.apple.WebCore 0x019169e0 WebCore::NodeImpl::notifyLocalNodeListsAttributeChanged() + 60 (NodeImpl.cpp:756) 3 com.apple.WebCore 0x01916aa8 WebCore::NodeImpl::notifyNodeListsAttributeChanged() + 44 (NodeImpl.cpp:762) 4 com.apple.WebCore 0x01916b6c WebCore::NodeImpl::dispatchSubtreeModifiedEvent(bool) + 148 (NodeImpl.cpp:793) 5 com.apple.WebCore 0x017e5ac8 WebCore::NamedAttrMapImpl::addAttribute(WebCore::AttributeImpl*) + 452 (dom_elementimpl.cpp:1100) 6 com.apple.WebCore 0x017e9678 WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&, WebCore::StringImpl*, int&) + 488 (dom_elementimpl.cpp:430) 7 com.apple.WebCore 0x017e9744 WebCore::ElementImpl::setAttribute(WebCore::QualifiedName const&, WebCore::String const&) + 72 (dom_elementimpl.cpp:316) 8 com.apple.WebCore 0x017ba1b0 WebCore::HTMLImageElementImpl::setSrc(WebCore::String const&) + 60 (html_imageimpl.cpp:398) 9 com.apple.WebCore 0x01770324 KJS::HTMLElement::imageSetter(KJS::ExecState*, int, KJS::JSValue*, WebCore::String const&) + 396 (kjs_html.cpp:2890) 10 com.apple.WebCore 0x01789a9c KJS::HTMLElement::putValueProperty(KJS::ExecState*, int, KJS::JSValue*, int) + 756 (kjs_html.cpp:3171) 11 com.apple.WebCore 0x01789db0 KJS::HTMLElement::put(KJS::ExecState*, KJS::Identifier const&, KJS::JSValue*, int) + 740 (kjs_html.cpp:2463) 12 com.apple.JavaScriptCore 0x0103e0ac KJS::AssignDotNode::evaluate(KJS::ExecState*) + 1740 (nodes.cpp:1374) 13 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 14 com.apple.JavaScriptCore 0x01033f28 KJS::SourceElementsNode::execute(KJS::ExecState*) + 280 (nodes.cpp:2381) 15 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 16 com.apple.JavaScriptCore 0x01019154 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331) 17 com.apple.JavaScriptCore 0x01018780 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 700 (function.cpp:102) 18 com.apple.JavaScriptCore 0x0104483c KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94) 19 com.apple.JavaScriptCore 0x0103b86c KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 820 (nodes.cpp:593) 20 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 21 com.apple.JavaScriptCore 0x01034078 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387) 22 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 23 com.apple.JavaScriptCore 0x01019154 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:331) 24 com.apple.JavaScriptCore 0x01018780 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 700 (function.cpp:102) 25 com.apple.JavaScriptCore 0x0104483c KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:94) 26 com.apple.JavaScriptCore 0x0103b004 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 908 (nodes.cpp:686) 27 com.apple.JavaScriptCore 0x010379c4 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1641) 28 com.apple.JavaScriptCore 0x01034078 KJS::SourceElementsNode::execute(KJS::ExecState*) + 616 (nodes.cpp:2387) 29 com.apple.JavaScriptCore 0x01031280 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1618) 30 com.apple.JavaScriptCore 0x0102746c KJS::InterpreterImp::evaluate(KJS::UChar const*, int, KJS::JSValue*, KJS::UString const&, int) + 1028 (internal.cpp:591) 31 com.apple.JavaScriptCore 0x0102964c KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 100 (interpreter.cpp:122) 32 com.apple.WebCore 0x0178f198 WebCore::KJSProxyImpl::evaluate(WebCore::String const&, int, WebCore::String const&, WebCore::NodeImpl*) + 380 (kjs_proxy.cpp:69) 33 com.apple.WebCore 0x018d6448 WebCore::Frame::executeScript(QString const&, int, WebCore::NodeImpl*, QString const&) + 144 (Frame.cpp:2080) 34 com.apple.WebCore 0x017d997c WebCore::HTMLTokenizer::scriptExecution(QString const&, WebCore::HTMLTokenizer::State, QString, int) + 468 (htmltokenizer.cpp:470) 35 com.apple.WebCore 0x017dca98 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 1632 (htmltokenizer.cpp:409) 36 com.apple.WebCore 0x017dd1a8 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1340 (htmltokenizer.cpp:277) 37 com.apple.WebCore 0x017dfdec WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 924 (htmltokenizer.cpp:1389) 38 com.apple.WebCore 0x018d9354 WebCore::Frame::write(char const*, int) + 952 (Frame.cpp:681) 39 com.apple.WebCore 0x018d0414 WebCore::Frame::addData(char const*, int) + 340 (Frame.cpp:2684) 40 com.apple.WebCore 0x0191e744 -[WebCoreFrameBridge addData:] + 224 (WebCoreFrameBridge.mm:653) 41 com.apple.WebKit 0x00334090 -[WebFrameBridge receivedData:textEncodingName:] + 236 (WebFrameBridge.m:479) 42 com.apple.WebKit 0x0036c788 -[WebHTMLRepresentation receivedData:withDataSource:] + 248 (WebHTMLRepresentation.m:122) 43 com.apple.WebKit 0x003578f4 -[WebDataSource(WebPrivate) _commitLoadWithData:] + 164 (WebDataSource.m:895) 44 com.apple.WebKit 0x00355f78 -[WebDataSource(WebPrivate) _receivedData:] + 196 (WebDataSource.m:646) 45 com.apple.WebKit 0x00391054 -[WebMainResourceLoader addData:] + 136 (WebMainResourceLoader.m:163) 46 com.apple.WebKit 0x00350c68 -[WebLoader didReceiveData:lengthReceived:] + 108 (WebLoader.m:535) 47 com.apple.WebKit 0x00392638 -[WebMainResourceLoader didReceiveData:lengthReceived:] + 724 (WebMainResourceLoader.m:378) 48 com.apple.WebKit 0x003517cc -[WebLoader connection:didReceiveData:lengthReceived:] + 188 (WebLoader.m:645) 49 com.apple.Foundation 0x9299c5d4 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 564 50 com.apple.Foundation 0x9299aa74 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 488 51 com.apple.Foundation 0x9299a810 _sendCallbacks + 156 52 com.apple.CoreFoundation 0x907e4a68 __CFRunLoopDoSources0 + 384 53 com.apple.CoreFoundation 0x907e3f98 __CFRunLoopRun + 452 54 com.apple.CoreFoundation 0x907e3a18 CFRunLoopRunSpecific + 268 55 com.apple.HIToolbox 0x93211980 RunCurrentEventLoopInMode + 264 56 com.apple.HIToolbox 0x93211014 ReceiveNextEventCommon + 380 57 com.apple.HIToolbox 0x93210e80 BlockUntilNextEventMatchingListInMode + 96 58 com.apple.AppKit 0x93713104 _DPSNextEvent + 384 59 com.apple.AppKit 0x93712dc8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 60 com.apple.Safari 0x00006fd4 0x1000 + 24532 61 com.apple.AppKit 0x9370f30c -[NSApplication run] + 472 62 com.apple.AppKit 0x937ffe68 NSApplicationMain + 452 63 com.apple.Safari 0x0005cd08 0x1000 + 376072 64 com.apple.Safari 0x0005cbb0 0x1000 + 375728