I'm seeing a reproducible crash in WebCore::RenderBlock::layoutInlineChildren() in r32268. To reproduce the crash, go to http://www.farecompare.com/fare-search/year.html?type=homepage2&departure=AUS&destination=CLE&t=r&s=r#Select_Depart_Day and click the "September 2008" box.
Created attachment 20707 [details] crash log from r32268 crash log from r32268 attached.
Confirmed with r32282, this is a regression from Safari 3.1.1 (5525.18) Top of debug stack trace: Thread 0 Crashed: 0 com.apple.WebCore 0x0224ce32 WebCore::RenderBlock::determineStartPosition(bool&, WebCore::BidiResolver<WebCore::BidiIterator, WebCore::BidiRun>&, WTF::Vector<WebCore::RenderBlock::FloatWithRect, 0ul>&, unsigned int&) + 154 (bidi.cpp:1148) 1 com.apple.WebCore 0x0224df77 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 1605 (bidi.cpp:861) 2 com.apple.WebCore 0x02040a35 WebCore::RenderBlock::layoutBlock(bool) + 1299 (RenderBlock.cpp:580) 3 com.apple.WebCore 0x0202fb58 WebCore::RenderBlock::layout() + 54 (RenderBlock.cpp:494) 4 com.apple.WebCore 0x0224fa2d WebCore::RenderObject::layoutIfNeeded() + 41 (RenderObject.h:500)
This no longer causes a crash with the original reproduction scenario. Resolving this as WORKSFORME since the underlying defect was most likely fixed.
Reopening to close as duplicate.
*** This bug has been marked as a duplicate of 18722 ***