Created attachment 243008 [details] backtrace WebKitGTK+ 3.6.4 (Epiphany 3.14.2) crashes 100% of the time in the JSC JIT when loading https://docs.google.com/document/d/1Fe2ZSEazdqzxBWHDjGF8WuYwsI6-C95Ljmn-QiMyl94 I can't reproduce the crash with master, so it might already been fixed.
I get similar backtraces with Debian Sid's version (2.6.2). This is what I get when loading a document in Google Docs Program received signal SIGSEGV, Segmentation fault. 0x00007f070dc67898 in putByIndex (shouldThrow=<optimized out>, value=..., propertyName=<optimized out>, exec=<optimized out>, this=<optimized out>) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:738 738 /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h: No such file or directory. (gdb) bt #0 0x00007f070dc67898 in putByIndex (shouldThrow=<optimized out>, value=..., propertyName=<optimized out>, exec=<optimized out>, this=<optimized out>) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:738 #1 JSC::putByVal (callFrame=callFrame@entry=0x7fffef6c1b80, baseValue=..., subscript=..., value=..., value@entry=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/JavaScriptCore/jit/JITOperations.cpp:462 #2 0x00007f070dc67a2e in JSC::operationPutByValGeneric (exec=0x7fffef6c1b80, encodedBaseValue=139667840554384, encodedSubscript=0, encodedValue=139666003847216) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/JavaScriptCore/jit/JITOperations.cpp:591
Obsolete