Created attachment 34726 [details] mem_test.html Running ToT (r47187), execute the attached testcase in a new tab/window, and then close it. It will crash with the following bt, confirmed in at least GTK and Qt ports. [Thread debugging using libthread_db enabled] [New Thread 0xb454f700 (LWP 22030)] [New Thread 0xb3534b90 (LWP 22041)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb454f700 (LWP 22030)] 0xb6e8e7aa in WTF::OwnPtr<WebCore::ApplicationCacheHost>::get (this=0x4dc) at ../../../JavaScriptCore/wtf/OwnPtr.h:55 55 PtrType get() const { return m_ptr; } (gdb) bt #0 0xb6e8e7aa in WTF::OwnPtr<WebCore::ApplicationCacheHost>::get (this=0x4dc) at ../../../JavaScriptCore/wtf/OwnPtr.h:55 #1 0xb6e8e7d0 in WebCore::DocumentLoader::applicationCacheHost (this=0x0) at ../../../WebCore/loader/DocumentLoader.h:208 #2 0xb6f5b9d1 in WebCore::FrameLoader::loadResourceSynchronously ( this=0x8aea19c, request=@0xbfabc278, storedCredentials=WebCore::AllowStoredCredentials, error=@0xbfabc19c, response=@0xbfabc104, data=@0xbfabc1b0) at ../../../WebCore/loader/FrameLoader.cpp:3728 #3 0xb6f4b05a in WebCore::DocumentThreadableLoader::loadResourceSynchronously (document=0x8dfdbe0, request=@0xbfabc278, client=@0x8e151d4, storedCredentials=WebCore::AllowStoredCredentials) at ../../../WebCore/loader/DocumentThreadableLoader.cpp:55 #4 0xb6f9800c in WebCore::ThreadableLoader::loadResourceSynchronously ( context=0x8dfdc10, request=@0xbfabc278, client=@0x8e151d4, storedCredentials=WebCore::AllowStoredCredentials) at ../../../WebCore/loader/ThreadableLoader.cpp:69 #5 0xb71e27cf in WebCore::XMLHttpRequest::loadRequestSynchronously ( this=0x8e151c8, request=@0xbfabc278, ec=@0xbfabc44c) at ../../../WebCore/xml/XMLHttpRequest.cpp:663 #6 0xb71e2a60 in WebCore::XMLHttpRequest::makeSameOriginRequest ( this=0x8e151c8, ec=@0xbfabc44c) at ../../../WebCore/xml/XMLHttpRequest.cpp:510 ---Type <return> to continue, or q <return> to quit--- #7 0xb71e452b in WebCore::XMLHttpRequest::createRequest (this=0x8e151c8, ec=@0xbfabc44c) at ../../../WebCore/xml/XMLHttpRequest.cpp:488 #8 0xb71e49b1 in WebCore::XMLHttpRequest::send (this=0x8e151c8, body=@0xbfabc3e8, ec=@0xbfabc44c) at ../../../WebCore/xml/XMLHttpRequest.cpp:446 #9 0xb71e49f2 in WebCore::XMLHttpRequest::send (this=0x8e151c8, ec=@0xbfabc44c) at ../../../WebCore/xml/XMLHttpRequest.cpp:389 #10 0xb6b96f3b in WebCore::JSXMLHttpRequest::send (this=0xb2b11400, exec=0xb2b34050, args=@0xbfabc4bc) at ../../../WebCore/bindings/js/JSXMLHttpRequestCustom.cpp:125 #11 0xb7759b84 in WebCore::jsXMLHttpRequestPrototypeFunctionSend ( exec=0xb2b34050, thisValue={m_ptr = 0xb2b11400}, args=@0xbfabc4bc) at generated/debug/JSXMLHttpRequest.cpp:373 #12 0xb38d9167 in ?? () #13 0xb6a6307d in JSC::JITCode::execute (this=0x8e15530, registerFile=0x8e04f78, callFrame=0xb2b34024, globalData=0x8e02e18, exception=0x8e03334) at ../../../JavaScriptCore/jit/JITCode.h:79 #14 0xb6a641b7 in JSC::Interpreter::execute (this=0x8e04f70, functionBodyNode=0x8e15518, callFrame=0x8e05454, function=0xb2b11380, thisObj=0xb2b10000, args=@0xbfabc6e0, scopeChain=0x8e057e0, exception=0x8e03334) at ../../../JavaScriptCore/interpreter/Interpreter.cpp:722 #15 0xb6ac2890 in JSC::JSFunction::call (this=0xb2b11380, exec=0x8e05454,