I don't yet know how to reproduce this, but here's the some information about the assertion I saw. Assertion: ASSERT(!m_loader); XMLHTTPRequest::m_url: http://www.google.com/reader/user-info?ck=1228326264938&client=scroll XMLHTTPRequest::m_lastSendURL: http://www.google.com/reader/ui/4201809102-en-scroll.js?hl=en Backtrace: WebKit_debug.dll!WebCore::XMLHttpRequest::contextDestroyed() Line 1431 + 0x31 bytes C++ > WebKit_debug.dll!WebCore::ScriptExecutionContext::~ScriptExecutionContext() Line 65 + 0x1c bytes C++ WebKit_debug.dll!WebCore::Document::~Document() Line 462 + 0x32a bytes C++ WebKit_debug.dll!WebCore::HTMLDocument::~HTMLDocument() Line 91 + 0x47 bytes C++ WebKit_debug.dll!WebCore::HTMLDocument::`scalar deleting destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::Document::selfOnlyDeref() Line 209 + 0x22 bytes C++ WebKit_debug.dll!WebCore::DocPtr<WebCore::Document>::~DocPtr<WebCore::Document>() Line 32 + 0x2d bytes C++ WebKit_debug.dll!WebCore::Node::~Node() Line 211 + 0x13 bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::~EventTargetNode() Line 76 + 0x28 bytes C++ WebKit_debug.dll!WebCore::ContainerNode::~ContainerNode() Line 67 + 0x8 bytes C++ WebKit_debug.dll!WebCore::Element::~Element() Line 73 + 0x1e bytes C++ WebKit_debug.dll!WebCore::StyledElement::~StyledElement() Line 125 + 0x13 bytes C++ WebKit_debug.dll!WebCore::HTMLElement::~HTMLElement() Line 62 + 0x8 bytes C++ WebKit_debug.dll!WebCore::HTMLDivElement::~HTMLDivElement() Line 41 + 0x8 bytes C++ WebKit_debug.dll!WebCore::HTMLDivElement::`scalar deleting destructor'() + 0x16 bytes C++ WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::removedLastRef() Line 99 + 0x22 bytes C++ WebKit_debug.dll!WebCore::TreeShared<WebCore::Node>::deref() Line 69 + 0xf bytes C++ WebKit_debug.dll!WTF::RefPtr<WebCore::Node>::~RefPtr<WebCore::Node>() Line 50 + 0x2d bytes C++ WebKit_debug.dll!WebCore::JSNode::~JSNode() Line 192 + 0xb bytes C++ WebKit_debug.dll!WebCore::JSEventTargetNode::~JSEventTargetNode() + 0x16 bytes C++ WebKit_debug.dll!WebCore::JSElement::~JSElement() + 0x16 bytes C++ WebKit_debug.dll!WebCore::JSHTMLElement::~JSHTMLElement() + 0x16 bytes C++ WebKit_debug.dll!WebCore::JSHTMLDivElement::~JSHTMLDivElement() + 0x16 bytes C++ WebKit_debug.dll!WebCore::JSHTMLDivElement::`scalar deleting destructor'() + 0x16 bytes C++ WebKit_debug.dll!JSC::Heap::sweep<0>() Line 898 + 0x10 bytes C++ WebKit_debug.dll!JSC::Heap::collect() Line 997 + 0x8 bytes C++ WebKit_debug.dll!WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController> * __formal=0x047fe168) Line 75 C++ WebKit_debug.dll!WebCore::Timer<WebCore::GCController>::fired() Line 99 + 0x23 bytes C++ WebKit_debug.dll!WebCore::TimerBase::fireTimers(double fireTime=1228326265.6454067, const WTF::Vector<WebCore::TimerBase *,0> & firingTimers=[3](0x0482c498 {m_nextFireTime=??? m_repeatInterval=??? m_heapIndex=??? ...},0x06b44230 {m_nextFireTime=??? m_repeatInterval=??? m_heapIndex=??? ...},0x047fe168 {m_nextFireTime=??? m_repeatInterval=??? m_heapIndex=??? ...})) Line 347 + 0xf bytes C++ WebKit_debug.dll!WebCore::TimerBase::sharedTimerFired() Line 368 + 0x12 bytes C++ WebKit_debug.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x00040a1c, unsigned int message=49540, unsigned int wParam=0, long lParam=0) Line 102 + 0x8 bytes C++
Also, XMLHttpRequest::m_loader->m_frame is null
Created attachment 25716 [details] reduced test case (will crash)
<rdar://problem/6415475>
Created attachment 25720 [details] proposed fix
Comment on attachment 25720 [details] proposed fix r=me
Committed revision 38962.