To reproduce: 1. Go to http://trac.webkit.org/ 2. Reload You'll crash. Here's the backtrace: JavaScriptCore_debug.dll!WTF::RefCountedBase::ref() Line 36 + 0x3 bytes C++ > JavaScriptCore_debug.dll!JSC::StructureStubInfo::initPutByIdTransition(JSC::Structure * previousStructure=0x00000000, JSC::Structure * structure=0x0ead7fe8, JSC::StructureChain * chain=0x08ae4818) Line 116 C++ JavaScriptCore_debug.dll!JSC::JITThunks::tryCachePutByID(JSC::ExecState * callFrame=0x08d603b0, JSC::CodeBlock * codeBlock=0x0e77f210, JSC::ReturnAddressPtr returnAddress={...}, JSC::JSValue baseValue={...}, const JSC::PutPropertySlot & slot={...}, JSC::StructureStubInfo * stubInfo=0x0e780fc8) Line 703 C++ JavaScriptCore_debug.dll!cti_op_put_by_id(void * * args=0x0012e4d4) Line 1089 + 0x2f bytes C++ JavaScriptCore_debug.dll!@cti_op_convert_this@4() + 0x10f bytes C++ JavaScriptCore_debug.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x086a7330, JSC::ExecState * callFrame=0x08d60058, JSC::JSGlobalData * globalData=0x0867a500, JSC::JSValue * exception=0x0867b058) Line 79 + 0x24 bytes C++ JavaScriptCore_debug.dll!JSC::Interpreter::execute(JSC::FunctionExecutable * functionExecutable=0x08baeb40, JSC::ExecState * callFrame=0x0868f480, JSC::JSFunction * function=0x07c529c0, JSC::JSObject * thisObj=0x07c53440, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x0e1f3840, JSC::JSValue * exception=0x0867b058) Line 721 + 0x34 bytes C++ JavaScriptCore_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0868f480, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 120 + 0x4e bytes C++ JavaScriptCore_debug.dll!JSC::call(JSC::ExecState * exec=0x0868f480, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x2b bytes C++ WebKit_debug.dll!WebCore::JSEventListener::handleEvent(WebCore::Event * event=, bool isWindowEvent=) Line 120 + 0x4d bytes C++ WebKit_debug.dll!WebCore::DOMWindow::handleEvent(WebCore::Event * event=0x0ea09168, bool useCapture=false, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateListeners=[...]()) Line 1260 + 0x20 bytes C++ WebKit_debug.dll!WebCore::DOMWindow::dispatchEventWithDocumentAsTarget(WTF::PassRefPtr<WebCore::Event> e={...}, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateEventListeners=[...]()) Line 1341 C++ WebKit_debug.dll!WebCore::DOMWindow::dispatchUnloadEvent(WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>,0> * alternateEventListeners=[...]()) Line 1361 C++ WebKit_debug.dll!WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy unloadEventPolicy=UnloadEventPolicyUnloadAndPageHide, WebCore::DatabasePolicy databasePolicy=DatabasePolicyStop) Line 588 C++ WebKit_debug.dll!WebCore::FrameLoader::closeURL() Line 650 C++ WebKit_debug.dll!WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage> cachedPage={...}) Line 2952 C++ WebKit_debug.dll!WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::CachedPage> prpCachedPage={...}) Line 2883 C++ WebKit_debug.dll!WebCore::DocumentLoader::commitIfReady() Line 322 C++ WebKit_debug.dll!WebCore::DocumentLoader::commitLoad(const char * data=0x0eb48aa8, int length=1971) Line 341 C++ WebKit_debug.dll!WebCore::DocumentLoader::receivedData(const char * data=0x0eb48aa8, int length=1971) Line 355 C++ WebKit_debug.dll!WebCore::FrameLoader::receivedData(const char * data=0x0eb48aa8, int length=1971) Line 2524 C++ WebKit_debug.dll!WebCore::MainResourceLoader::addData(const char * data=0x0eb48aa8, int length=1971, bool allAtOnce=false) Line 144 C++ WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(const char * data=0x0eb48aa8, int length=1971, __int64 lengthReceived=1971, bool allAtOnce=false) Line 248 + 0x1b bytes C++ WebKit_debug.dll!WebCore::MainResourceLoader::didReceiveData(const char * data=0x0eb48aa8, int length=1971, __int64 lengthReceived=1971, bool allAtOnce=false) Line 357 C++ WebKit_debug.dll!WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle * __formal=0x0eaa0ad0, const char * data=0x0eb48aa8, int length=1971, int lengthReceived=1971) Line 398 + 0x1f bytes C++ WebKit_debug.dll!WebCore::didReceiveData(_CFURLConnection * conn=0x08d035d8, const __CFData * data=0x0e784d10, long originalLength=1971, const void * clientInfo=0x0eaa0ad0) Line 176 + 0x2a bytes C++
<rdar://problem/7239395>
Created attachment 39861 [details] Patch v1
Comment on attachment 39861 [details] Patch v1 r=me
Committed r48590