Bug 16284

Opening the URL or reloading it several times (NOTE: due to another regression, you need to disable plug-ins before loading the URL) crashes WebKit after it prints several messages like Safari(6659,0xa0055f60) malloc: *** error for object 0x16f4fc40: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Setting a breakpoint reveals that this first occurs with the following call stack: #0 0x9027f9f1 in malloc_error_break () #1 0x9027a9df in szone_error () #2 0x901a011e in szone_free () #3 0x9019f9ed in free () #4 0x0057a2fe in WTF::fastFree (p=0x16f4fb30) at FastMalloc.cpp:171 #5 0x00615e73 in jsRegExpCompile (pattern=0x16f4fa90, patternLength=77, ignoreCase=JSRegExpDoNotIgnoreCase, multiline=JSRegExpSingleLine, numSubpatterns=0x18fcc2dc, errorptr=0x18fcc2d8) at /WebKit/OpenSource/JavaScriptCore/pcre/pcre_compile.cpp:2855 #6 0x00582cc1 in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358, flags=@0x16fe735c) at regexp.cpp:70 #7 0x00582cef in KJS::RegExp::RegExp (this=0x18fcc2c0, pattern=@0x16fe7358, flags=@0x16fe735c) at regexp.cpp:71 #8 0x005e49fb in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0, pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:281 #9 0x005e4a31 in KJS::RegExpNode::RegExpNode (this=0x18fcc2b0, pattern=@0x16fe7358, flags=@0x16fe735c) at nodes.h:283 #10 0x005b2f9b in kjsyyparse () at grammar.y:227 #11 0x005b6f1e in KJS::Parser::parse (this=0x64cc88, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, length=9147, sourceId=0xbfffde98, errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:76 #12 0x005b7066 in KJS::Parser::parseProgram (this=0x64cc88, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, length=9147, sourceId=0xbfffde98, errLine=0xbfffde94, errMsg=0xbfffde90) at Parser.cpp:46 #13 0x005b7139 in KJS::Interpreter::evaluate (this=0x16fe3280, sourceURL=@0xbfffdf54, startingLineNumber=0, code=0x19376000, codeLength=9147, thisV=0x19340000) at interpreter.cpp:345 #14 0x022fcf4f in WebCore::KJSProxy::evaluate (this=0x18b8cbd0, filename=@0xbfffe058, baseLine=0, str=@0xbfffe054) at /WebKit/OpenSource/WebCore/bindings/js/kjs_proxy.cpp:90 #15 0x01f4440c in WebCore::FrameLoader::executeScript (this=0x40d5200, URL=@0xbfffe058, baseLine=0, script=@0xbfffe054) at /WebKit/OpenSource/WebCore/loader/FrameLoader.cpp:759 #16 0x01fc06e2 in WebCore::HTMLTokenizer::scriptExecution (this=0x45fcc00, str=@0xbfffe154, state={static EntityShift = <optimized out>, m_bits = 4194304}, scriptURL=@0xbfffe124, baseLine=0) at /WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:520 #17 0x01fc0ba4 in WebCore::HTMLTokenizer::notifyFinished (this=0x45fcc00) at /WebKit/OpenSource/WebCore/html/HTMLTokenizer.cpp:1737 #18 0x01e2b52e in WebCore::CachedScript::checkNotify (this=0x18fca8b0) at /WebKit/OpenSource/WebCore/loader/CachedScript.cpp:98 #19 0x01e2b68f in WebCore::CachedScript::data (this=0x18fca8b0, data=@0xbfffe28c, allDataReceived=true) at /WebKit/OpenSource/WebCore/loader/CachedScript.cpp:88 #20 0x0230bae6 in WebCore::Loader::didFinishLoading (this=0x152ccf38, loader=0x45f2000) at /WebKit/OpenSource/WebCore/loader/loader.cpp:116 #21 0x022896c7 in WebCore::SubresourceLoader::didFinishLoading (this=0x45f2000) at /WebKit/OpenSource/WebCore/loader/SubresourceLoader.cpp:193 #22 0x02245cec in WebCore::ResourceLoader::didFinishLoading (this=0x45f2000) at /WebKit/OpenSource/WebCore/loader/ResourceLoader.cpp:361 #23 0x0224372c in -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] (self=0x195f0160, _cmd=0x9692d5c4, con=0x18f97e80) at /WebKit/OpenSource/WebCore/platform/network/mac/ResourceHandleMac.mm:455