Happens every time, debug build r54266: Program received signal SIGSEGV, Segmentation fault. 0x00ebd897 in WebCore::CheckedRadioButtons::removeButton (this=0x8c17efc, element=0x8b4ba10) at ../../WebCore/dom/CheckedRadioButtons.cpp:82 82 ASSERT(inputElement->isChecked()); (gdb) bt #0 0x00ebd897 in WebCore::CheckedRadioButtons::removeButton (this=0x8c17efc, element=0x8b4ba10) at ../../WebCore/dom/CheckedRadioButtons.cpp:82 #1 0x0101babe in WebCore::HTMLInputElement::~HTMLInputElement (this=0x8b4ba10, __in_chrg=<value optimized out>) at ../../WebCore/html/HTMLInputElement.cpp:114 #2 0x0101bb67 in WebCore::HTMLInputElement::~HTMLInputElement (this=0x8b4ba10, __in_chrg=<value optimized out>) at ../../WebCore/html/HTMLInputElement.cpp:119 #3 0x00ebb843 in WebCore::TreeShared<WebCore::Node>::removedLastRef (this=0x8b4ba14) at ../../WebCore/platform/TreeShared.h:108 #4 0x00d4180c in WebCore::TreeShared<WebCore::Node>::deref (this=0x8b4ba14) at ../../WebCore/platform/TreeShared.h:69 #5 0x00d41850 in WTF::RefPtr<WebCore::Node>::~RefPtr (this=0xb6ab8b6c, __in_chrg=<value optimized out>) at ../../JavaScriptCore/wtf/RefPtr.h:53 #6 0x01737ea9 in WebCore::JSNode::~JSNode (this=0xb6ab8b40, __in_chrg=<value optimized out>) at DerivedSources/JSNode.cpp:225 #7 0x00d76177 in WebCore::JSElement::~JSElement (this=0xb6ab8b40, __in_chrg=<value optimized out>) at ./DerivedSources/JSElement.h:33 #8 0x0176072d in WebCore::JSHTMLElement::~JSHTMLElement (this=0xb6ab8b40, __in_chrg=<value optimized out>) at DerivedSources/JSHTMLElement.h:31 #9 0x0178d7e1 in WebCore::JSHTMLInputElement::~JSHTMLInputElement (this=0xb6ab8b40, __in_chrg=<value optimized out>) at DerivedSources/JSHTMLInputElement.h:30 #10 0x016846b4 in JSC::Heap::sweep (this=0x88f5da0) at ../../JavaScriptCore/runtime/Collector.cpp:1084 #11 0x01684e23 in JSC::Heap::collectAllGarbage (this=0x88f5da0) at ../../JavaScriptCore/runtime/Collector.cpp:1264 #12 0x00d69160 in WebCore::collect () at ../../WebCore/bindings/js/GCController.cpp:46 #13 0x00d69296 in WebCore::GCController::gcTimerFired (this=0x89762f0) at ../../WebCore/bindings/js/GCController.cpp:69 #14 0x00d69470 in WebCore::Timer<WebCore::GCController>::fired (this=0x89762f4) at ../../WebCore/platform/Timer.h:98 #15 0x011a2bc3 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x84096f0) at ../../WebCore/platform/ThreadTimers.cpp:112 #16 0x011a2b0b in WebCore::ThreadTimers::sharedTimerFired () at ../../WebCore/platform/ThreadTimers.cpp:90 #17 0x014eea6d in WebCore::timeout_cb () at ../../WebCore/platform/gtk/SharedTimerGtk.cpp:48 #18 0x026f7681 in g_idle_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at gmain.c:4065 #19 0x026f9645 in g_main_dispatch (context=<value optimized out>) at gmain.c:1960 #20 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2513 #21 0x026fd340 in g_main_context_iterate (context=<value optimized out>, block=<value optimized out>, dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2591 #22 0x026fd88f in IA__g_main_loop_run (loop=<value optimized out>) at gmain.c:2799 #23 0x044e8332 in IA__gtk_main () at gtkmain.c:1219 #24 0x0806e70e in main (argc=1, argv=0xbfffee74) at ../../src/ephy-main.c:739
This affects each and every page using jQuery 1.4.1.
Created attachment 48167 [details] proposed fix
Committed revision 54372.
Created attachment 53778 [details] Simplified Test Case The test case is a a simple page containing a radio box. The radio box is initially checked. But a call to radioBox.cloneNode() would unintentionally uncheck the radio box.
This fix was an immediate cause of bug 37900.