Created attachment 188340 [details] full crash report Since yesterdays nightly builds I see crashes likes this when using the back/forward buttons. Haven't noticed a pattern when the crash happens, will post an update if I find something. Tested with Safari 6.0.2 (8536.26.17, 537+) and nightly r142854. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109143c68 WebCore::ScrollingStateNode::appendChild(WTF::PassOwnPtr<WebCore::ScrollingStateNode>) + 24 1 com.apple.WebCore 0x0000000109145a65 WebCore::ScrollingStateTree::attachNode(WebCore::ScrollingNodeType, unsigned long long, unsigned long long) + 501 2 com.apple.WebCore 0x0000000109029eb2 WebCore::RenderLayerBacking::attachToScrollingCoordinatorWithParent(WebCore::RenderLayerBacking*) + 162 3 com.apple.WebCore 0x000000010902d818 WebCore::RenderLayerCompositor::registerOrUpdateViewportConstrainedLayer(WebCore::RenderLayer*) + 248 4 com.apple.WebCore 0x00000001090326f3 WebCore::RenderLayerCompositor::updateViewportConstraintStatus(WebCore::RenderLayer*) + 163 5 com.apple.WebCore 0x0000000109029798 WebCore::RenderLayerBacking::registerScrollingLayers() + 88 6 com.apple.WebCore 0x000000010902869e WebCore::RenderLayerBacking::updateGraphicsLayerGeometry() + 5374 7 com.apple.WebCore 0x0000000109030c8d WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 93 8 com.apple.WebCore 0x0000000109030e07 WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 471 9 com.apple.WebCore 0x0000000109030e07 WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 471 10 com.apple.WebCore 0x0000000109027130 WebCore::RenderLayerBacking::updateAfterLayout(unsigned int) + 64 11 com.apple.WebCore 0x000000010900e1c0 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) + 1440 12 com.apple.WebCore 0x000000010900dc04 WebCore::RenderLayer::updateLayerPositionsAfterLayout(WebCore::RenderLayer const*, unsigned int) + 84 13 com.apple.WebCore 0x00000001089886d5 WebCore::FrameView::layout(bool) + 2197 14 com.apple.WebCore 0x000000010897248d WebCore::FrameLoader::commitProvisionalLoad() + 893 15 com.apple.WebCore 0x0000000108970f96 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 502 16 com.apple.WebCore 0x0000000108971080 WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 32 17 com.apple.WebCore 0x0000000108f68299 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 489 18 com.apple.WebCore 0x0000000108970c47 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1287 19 com.apple.WebCore 0x000000010896d815 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem*, WebCore::FrameLoadType, WebCore::FrameLoader::FormSubmissionCacheLoadPolicy) + 101 20 com.apple.WebCore 0x00000001089d3b3c WebCore::HistoryController::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 460 21 com.apple.WebCore 0x00000001089d3748 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 216 22 com.apple.WebCore 0x0000000108f400a5 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 85 23 com.apple.WebKit2 0x0000000107e52087 WebKit::WebPage::goBack(unsigned long long) + 39
Maybe http://trac.webkit.org/changeset/142505 ?
<rdar://problem/13216100>
I'm able to reproduce the crash with one of our sites reliably now and cooked up a testcase. I stripped out us much html as I could. To reproduce: * navigate to http://static.abloom.at/kommen/webkit/bug-109826.html * click Safari's previous page button * click Safari's next page button Hope that helps.
Created attachment 188651 [details] Patch
Comment on attachment 188651 [details] Patch Clearing flags on attachment: 188651 Committed r143074: <http://trac.webkit.org/changeset/143074>
All reviewed patches have been landed. Closing bug.