Steps to reproduce: 1. Visit http://www.menulog.com.au/search.php?submit2=T&searchMode=takeaway&cartType=delivery&majorRegionId=28&postcode=2010 2. Click the "Order" button alongside one of the restaurants that prepares yummy food. 3. Click "Order Delivery". 4. Click on "Surry Hills - 2010" so that the food can be delivered to me. Expected results: Tasty food delivered to my door. Actual results: Crash after step 5. Notes: This worked as recently as last Wednesday.
Created attachment 16911 [details] Crash log
Top of the crash log for easy reference: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x01e7838c KJS::Window::pauseTimeouts() + 248 (kjs_window.cpp:1564) 1 com.apple.WebCore 0x020a15af WebCore::CachedPage::CachedPage(WebCore::Page*) + 615 (CachedPage.cpp:101) 2 com.apple.WebCore 0x020a1668 WebCore::CachedPage::CachedPage(WebCore::Page*) + 24 (CachedPage.cpp:110) 3 com.apple.WebCore 0x020a169b WebCore::CachedPage::create(WebCore::Page*) + 49 (CachedPage.cpp:72)
> Actual results: > Crash after step 5. This should have said step 4.
Doesn't crash for me in a debug build.
Hrm, in step 2 try the second restaurant in the list, "Foodgame". Some others appear to not crash.
"git bisect" has narrowed this down to Maciej's HashTable change in http://trac.webkit.org/projects/webkit/changeset/27176. Previous revisions do not crash.
Reduction: <script> setTimeout('',1000); clearTimeout(0); clearTimeout(0); window.location = 'about:blank'; </script> In pauseTimeouts, d->m_timeouts.size() is returning a negative number.
Created attachment 16924 [details] Reduction from Comment #7
(In reply to comment #7) > Reduction: [...[ > > In pauseTimeouts, d->m_timeouts.size() is returning a negative number. Thanks, John!
Created attachment 16929 [details] let bdash have dinner
Comment on attachment 16929 [details] let bdash have dinner r=me