For the following crash stack trace tells me so: (gdb) bt #0 JSC::Register::jsValue (this=0xbadbeef0badbf07) at Register.h:118 #1 0x000000010b8843c5 in JSC::Register::scope (this=0xbadbeef0badbf07) at JSScope.h:237 #2 0x000000010b8842b5 in JSC::ExecState::scope (this=0xbadbeef0badbeef) at CallFrame.h:49 #3 0x000000010b884275 in JSC::ExecState::lexicalGlobalObject (this=0xbadbeef0badbeef) at JSScope.h:248 #4 0x000000010b890c55 in WebCore::currentWorld (exec=0xbadbeef0badbeef) at DOMWrapperWorld.h:77 #5 0x000000010cf6ac78 in WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy (this=0x7f9aecc096f0) at Source/WebCore/bindings/js/ScriptController.cpp:474 #6 0x000000010b8bb629 in WebCore::CachedResourceLoader::canRequest (this=0x7f9af50adf50, type=WebCore::CachedResource::ImageResource, url=@0x7fff57e618f0, options=@0x7fff57e61c28, forPreload=false) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:299 #7 0x000000010b8bbc56 in WebCore::CachedResourceLoader::requestResource (this=0x7f9af50adf50, type=WebCore::CachedResource::ImageResource, request=@0x7fff57e61b48) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:419 #8 0x000000010b8bb4f4 in WebCore::CachedResourceLoader::requestImage (this=0x7f9af50adf50, request=@0x7fff57e61b48) at Source/WebCore/loader/cache/CachedResourceLoader.cpp:163 #9 0x000000010ba51dd9 in WebCore::CSSImageValue::cachedImage (this=0x7f9afb4240c0, loader=0x7f9af50adf50, options=@0x10e89b678) at Source/WebCore/css/CSSImageValue.cpp:90 #10 0x000000010d10994a in WebCore::StyleResolver::loadPendingImage (this=0x7f9afa8666d0, pendingImage=0x7f9afb4b5890, options=@0x10e89b678) at Source/WebCore/css/StyleResolver.cpp:3516 #11 0x000000010d109b04 in WebCore::StyleResolver::loadPendingImage (this=0x7f9afa8666d0, pendingImage=0x7f9afb4b5890) at Source/WebCore/css/StyleResolver.cpp:3536 #12 0x000000010d109f23 in WebCore::StyleResolver::loadPendingImages (this=0x7f9afa8666d0) at Source/WebCore/css/StyleResolver.cpp:3572 #13 0x000000010d1047fe in WebCore::StyleResolver::loadPendingResources (this=0x7f9afa8666d0) at Source/WebCore/css/StyleResolver.cpp:3671 #14 0x000000010d0fd64c in WebCore::StyleResolver::applyMatchedProperties (this=0x7f9afa8666d0, matchResult=@0x7fff57e68b70, element=0x7f9af7ac59c0, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at Source/WebCore/css/StyleResolver.cpp:1768 #15 0x000000010d0fb29d in WebCore::StyleResolver::styleForElement (this=0x7f9afa8666d0, element=0x7f9af7ac59c0, defaultParent=0x0, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at Source/WebCore/css/StyleResolver.cpp:821 #16 0x000000010bdb34a5 in WebCore::Element::styleForRenderer (this=0x7f9af7ac59c0) at Source/WebCore/dom/Element.cpp:1458 #17 0x000000010b8f23b6 in WebCore::Style::resolveLocal (current=@0x7f9af7ac59c0, inheritedChange=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:667 #18 0x000000010b8f1db0 in WebCore::Style::resolveTree (current=@0x7f9af7ac59c0, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:824 #19 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9a24dc0, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #20 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af7161160, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #21 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9bd1c10, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #22 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af98f5a90, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #23 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9af9aa9d70, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #24 0x000000010b8f1f70 in WebCore::Style::resolveTree (current=@0x7f9afa81df00, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:856 #25 0x000000010b8f1c51 in WebCore::Style::resolveTree (document=@0x7f9aeda8be00, change=WebCore::Style::NoChange) at Source/WebCore/style/StyleResolveTree.cpp:898 #26 0x000000010bc18ae6 in WebCore::Document::recalcStyle (this=0x7f9aeda8be00, change=WebCore::Style::NoChange) at Source/WebCore/dom/Document.cpp:1740 #27 0x000000010bc1531f in WebCore::Document::updateStyleIfNeeded (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1788 #28 0x000000010bc16094 in WebCore::Document::updateLayout (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1807 #29 0x000000010bc1938f in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7f9aeda8be00) at Source/WebCore/dom/Document.cpp:1848 #30 0x000000010c14dbb7 in WebCore::HTMLObjectElement::renderWidgetForJSBindings (this=0x7f9afb55ba30) at Source/WebCore/html/HTMLObjectElement.cpp:86 #31 0x000000010c160d0b in WebCore::HTMLPlugInElement::pluginWidget (this=0x7f9afb55ba30) at Source/WebCore/html/HTMLPlugInElement.cpp:168 #32 0x000000010c701af9 in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=@0x7f9afb55ba30, globalObject=0x11b79d070) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:56 #33 0x000000010c701ee7 in WebCore::pluginScriptObjectFromPluginViewBase (jsHTMLElement=0x117a42c30) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:74 #34 0x000000010c701db9 in WebCore::pluginElementGetCallData (element=0x117a42c30, callData=@0x7fff57e699a8) at Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:164 #35 0x000000010c637205 in WebCore::JSHTMLObjectElement::getCallData (cell=0x117a42c30, callData=@0x7fff57e699a8) at Source/WebCore/bindings/js/JSHTMLObjectElementCustom.cpp:48 #36 0x000000010a36e505 in JSC::jsTypeStringForValue (vm=@0x7f9aee031800, globalObject=0x11b79d070, v={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4691602480, ptr = 0x117a42c30, asBits = {payload = 396635184, tag = 1}}}) at Source/JavaScriptCore/runtime/Operations.cpp:74 #37 0x000000010a36e59e in JSC::jsTypeStringForValue (callFrame=0x7fff57e69a80, v={static numberOfInt52Bits = <optimized out>, static int52ShiftAmount = <optimized out>, u = {asInt64 = 4691602480, ptr = 0x117a42c30, asBits = {payload = 396635184, tag = 1}}}) at Source/JavaScriptCore/runtime/Operations.cpp:82 #38 0x000000010a04bcf5 in operationTypeOf (exec=0x7fff57e69a80, value=0x117a42c30) at Source/JavaScriptCore/dfg/DFGOperations.cpp:826 #39 0x000048cbeba5b36a in ?? () #40 0x000048cbeba5a99e in ?? () …
ref: <rdar://problem/15709259>
Created attachment 223201 [details] Set VM::topCallFrame in DFG::operationTypeOf() using NativeCallFrameTracer.
Created attachment 223202 [details] Removed a ' ' in the ChangeLog.
Comment on attachment 223202 [details] Removed a ' ' in the ChangeLog. r=me
Comment on attachment 223202 [details] Removed a ' ' in the ChangeLog. Clearing flags on attachment: 223202 Committed r163426: <http://trac.webkit.org/changeset/163426>
All reviewed patches have been landed. Closing bug.
Regression test?