DESCRIPTION: This is similar with a resolved bug 95492, but it has different code path. I will make a patch in the same way. HOW TO REPRODUCE: 1) Build debug version webkit 2) open bing.com 3) after it loaded, open baidu.com EXPECTED: Baidu.com is loaded and browser should not crash ACTUAL: Browser crashed at the assertion failure as following. Thread [3] (Suspended: Signal 'SIGSEGV' received. Description: Segmentation fault.) 22 JSC::MarkedAllocator::allocateSlowCase() MarkedAllocator.cpp:76 0x02954174 21 JSC::MarkedAllocator::allocate() MarkedAllocator.h:83 0x793f43e4 20 JSC::MarkedSpace::allocateWithDestructor() MarkedSpace.h:197 0x793f4518 19 JSC::Heap::allocateWithDestructor() Heap.h:366 0x793f4668 18 JSC::allocateCell<JSC::JSAPIValueWrapper>() JSCell.h:337 0x793ff2ac 17 JSC::JSAPIValueWrapper::create() JSAPIValueWrapper.h:49 0x793fb664 16 JSC::jsAPIValueWrapper() JSAPIValueWrapper.h:73 0x793fb814 15 toRef() APICast.h:114 0x793fb8a0 14 BlackBerry::WebKit::WebPagePrivate::executeJavaScriptInIsolatedWorld() WebPage.cpp:860 0x793d9f08 13 BlackBerry::WebKit::WebPage::executeJavaScriptInIsolatedWorld() WebPage.cpp:915 0x793da308
Created attachment 170903 [details] patch Petter Wang had internally reviewed+. It's better to have YongLi to have a look.
Comment on attachment 170903 [details] patch r+ with more confidence when it is internally reviewed first.
Comment on attachment 170903 [details] patch Clearing flags on attachment: 170903 Committed r132653: <http://trac.webkit.org/changeset/132653>
All reviewed patches have been landed. Closing bug.