Please see the attached image if the location of the FINANCE tab is unclear.

I’ll look at this. One thing others could do to help is to reduce the test case. Yahoo might change their site design, for one thing. Also, bugs are much easier to fix when we have a test case that's not a complete live site.

Another useful thing is to attach a crash log. Is this an assertion failure or some kind of real-world crash?

I'm on r66395 and cannot reproduce the crash.

I am also unable to reproduce the crash; I have tried repeatedly.

I also can't repro on ToT. Maybe this was fixed since then. When it's morning in Tokyo, Yuzo can update this bug if he can still repro.

I myself cannot reproduce it now by the described steps. Sorry for not taking stacktrace at that time. I still see crashes, though, at least at r66441 (ToT as of this writing) and r66381 (as of the original report), with or without r66327. (I guess r66327 somehow made the issues easier to show up for me.) Unfortunately, I was unable to reduce the issue to a test or define a clear reproduction procedure. What I did: - Open yahoo.com - Click around (e.g. FINANCE, LOCAL, ... tabs), navigate back and forth, for about a few minutes. I see several kinds of failures. (Perhaps memory corruption somewhere?) ======================================================================== $ uname -a Darwin ******** 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 $ git svn info Path: . URL: http://svn.webkit.org/repository/webkit/trunk Repository Root: http://svn.webkit.org/repository/webkit Repository UUID: 268f45cc-cd09-0410-ab3c-d52691b4dbfc Revision: 66381 Node Kind: directory Schedule: normal Last Changed Author: yuzo@google.com Last Changed Rev: 66381 Last Changed Date: 2010-08-30 03:06:50 -0700 (Mon, 30 Aug 2010) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done ASSERTION FAILED: !m_provisionalDocumentLoader->timing()->navigationStart (<WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 void WebCore::FrameLoader::continueLoadAfterWillSubmitForm()) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x046d4b57 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x887c42c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 2453 ASSERT(!m_provisionalDocumentLoader->timing()->navigationStart); (gdb) where #0 0x046d4b57 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x887c42c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 #1 0x046dc9de in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x887c42c, formState=@0xbfffe698, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2971 #2 0x046dca2c in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x887c42c, request=@0x8c46f00, formState=@0xbfffe754, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2870 #3 0x04bfe323 in WebCore::PolicyChecker::checkNavigationPolicy (this=0x887c434, request=@0x8c46f00, loader=0x8c46c00, formState=@0xbfffe82c, function=0x46dc9e6 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x887c42c) at <WebKitSrcDir>/WebCore/loader/PolicyChecker.cpp:78 #4 0x046dce73 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x887c42c, loader=0x8c46c00, type=WebCore::FrameLoadTypeBack, prpFormState=@0xbfffea44) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:1481 #5 0x046ddccf in WebCore::FrameLoader::navigateToDifferentDocument (this=0x887c42c, item=0x1773dcf0, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3154 #6 0x046de373 in WebCore::FrameLoader::loadItem (this=0x887c42c, item=0x1773dcf0, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3257 #7 0x04736060 in WebCore::HistoryController::recursiveGoToItem (this=0x887c530, item=0x1773dcf0, fromItem=0x177afd80, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:595 #8 0x047361d0 in WebCore::HistoryController::goToItem (this=0x887c530, targetItem=0x1773dcf0, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:238 #9 0x04bd7434 in WebCore::Page::goToItem (this=0x119f370, item=0x1773dcf0, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/page/Page.cpp:365 #10 0x04bd7616 in WebCore::Page::goBack (this=0x119f370) at <WebKitSrcDir>/WebCore/page/Page.cpp:291 #11 0x00dc7425 in -[WebView goBack] (self=0x112c1e0, _cmd=0x96b45dac) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3236 #12 0x00dbc4ee in -[WebView(WebIBActions) goBack:] (self=0x112c1e0, _cmd=0x96b00610, sender=0x11d8a00) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3940 #13 0x000b8147 in ?? () #14 0x93d9ae8f in -[NSApplication sendAction:to:from:] () #15 0x00047af7 in ?? () #16 0x93d9adcc in -[NSControl sendAction:to:] () #17 0x93d9ac52 in -[NSCell _sendActionFrom:] () #18 0x93f45db8 in -[NSSegmentedCell _sendActionFrom:] () #19 0x93d9a2ab in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] () #20 0x93f45ae3 in -[NSSegmentedCell trackMouse:inRect:ofView:untilMouseUp:] () #21 0x93d993b8 in -[NSControl mouseDown:] () #22 0x93d97af7 in -[NSWindow sendEvent:] () #23 0x0003ffaa in ?? () #24 0x0003ff37 in ?? () #25 0x93d646a5 in -[NSApplication sendEvent:] () #26 0x000371cc in ?? () #27 0x93cc1fe7 in -[NSApplication run] () #28 0x93c8f1d8 in NSApplicationMain () #29 0x0000a57e in ?? () Current language: auto; currently c++ (gdb) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) run Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 [Switching to process 7028 thread 0x5e07] 0x0070f775 in JSC::Identifier::equal (r=0x1baf0cd0, s=0x1ba7a2b0, length=15) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 84 if (d[i] != s[i]) (gdb) where #0 0x0070f775 in JSC::Identifier::equal (r=0x1baf0cd0, s=0x1ba7a2b0, length=15) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 #1 0x00710364 in JSC::IdentifierUCharBufferTranslator::equal (str=0x1baf0cd0, buf=@0xb0c825d8) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:157 #2 0x00710502 in WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator>::equal (a=@0x8a401a8, b=@0xb0c825d8) at HashSet.h:104 #3 0x007107da in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::fullLookupForWriting<JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160b8bb4, key=@0xb0c825d8) at HashTable.h:613 #4 0x0071228e in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::addPassingHashCode<JSC::UCharBuffer, JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160b8bb4, key=@0xb0c825d8, extra=@0xb0c825d8) at HashTable.h:724 #5 0x007124e5 in WTF::HashSet<WTF::StringImpl*, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*> >::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160b8bb4, value=@0xb0c825d8) at HashSet.h:188 #6 0x00712533 in JSC::IdentifierTable::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160b8bb0, value={s = 0x1ba7a2b0, length = 15}) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:53 #7 0x0070fe24 in JSC::Identifier::add (globalData=0x8a3ac00, s=0x1ba7a2b0, length=15) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:224 #8 0x007b7dfa in JSC::Identifier::Identifier (this=0xb0c8267c, globalData=0x8a3ac00, s=0x1ba7a2b0, length=15) at Identifier.h:44 #9 0x007b7e42 in JSC::IdentifierArena::makeIdentifier (this=0x1bae6da0, globalData=0x8a3ac00, characters=0x1ba7a2b0, length=15) at ParserArena.h:52 #10 0x007b7e98 in JSC::Lexer::makeIdentifier (this=0x160b6c20, characters=0x1ba7a2b0, length=15) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:325 #11 0x007b82f9 in JSC::Lexer::parseString (this=0x160b6c20, lvalp=0xb0c82ea0) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:533 #12 0x007b6dfe in JSC::Lexer::lex (this=0x160b6c20, lvalp=0xb0c82ea0, llocp=0xb0c82ea8, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:986 #13 0x0079e50a in JSC::JSParser::next (this=0xb0c82e5c, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:93 #14 0x007a6ac0 in JSC::JSParser::parseArrayLiteral<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1243 #15 0x007a6e46 in JSC::JSParser::parsePrimaryExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1271 #16 0x007a77a2 in JSC::JSParser::parseMemberExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1375 #17 0x007a7bd8 in JSC::JSParser::parseUnaryExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1441 #18 0x007a523d in JSC::JSParser::parseBinaryExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1054 #19 0x007a55c2 in JSC::JSParser::parseConditionalExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1020 #20 0x007a571d in JSC::JSParser::parseAssignmentExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:970 #21 0x007a6c2b in JSC::JSParser::parseExpression<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:945 #22 0x007a7452 in JSC::JSParser::parseExpressionStatement<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:861 #23 0x007a8694 in JSC::JSParser::parseStatement<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:757 #24 0x007a86c6 in JSC::JSParser::parseSourceElements<JSC::ASTBuilder> (this=0xb0c82e5c, context=@0xb0c82bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:252 #25 0x00791162 in JSC::JSParser::parseProgram (this=0xb0c82e5c) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:236 #26 0x007912a5 in JSC::jsParse (globalData=0x8a3ac00, source=0x1e5da614) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:207 #27 0x007ddf75 in JSC::Parser::parse (this=0x160b6c80, globalData=0x8a3ac00, errLine=0xb0c82f58, errMsg=0xb0c82f54) at <WebKitSrcDir>/JavaScriptCore/parser/Parser.cpp:56 #28 0x0070a5aa in JSC::Parser::parse<JSC::ProgramNode> (this=0x160b6c80, globalData=0x8a3ac00, lexicalGlobalObject=0x1b800000, debugger=0x0, debuggerExecState=0x160b9434, source=@0x1e5da614, exception=0xb0c82fc4) at Parser.h:85 #29 0x0070620c in JSC::ProgramExecutable::compileInternal (this=0x1e5da5e0, exec=0x160b9434, scopeChainNode=0x160b5b40) at <WebKitSrcDir>/JavaScriptCore/runtime/Executable.cpp:148 #30 0x006e9590 in JSC::ProgramExecutable::compile (this=0x1e5da5e0, exec=0x160b9434, scopeChainNode=0x160b5b40) at Executable.h:245 #31 0x006e8ffb in JSC::evaluate (exec=0x160b9434, scopeChain=@0x160b9400, source=@0xb0c83100, thisValue={u = {asEncodedJSValue = -30064771072, asDouble = -nan(0xffff900000000), asBits = {payload = 0, tag = -7}}}) at <WebKitSrcDir>/JavaScriptCore/runtime/Completion.cpp:56 #32 0x0075d9ca in JSEvaluateScript (ctx=0x1b3e5158, script=0x1d362e10, thisObject=0x0, sourceURL=0x0, startingLineNumber=0, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSBase.cpp:55 #33 0x903bb92f in _JSArrayFromCFArrayOfCFStrings () #34 0x903bc13f in _JSDnsResolveFunctionCallback () #35 0x0075f3d1 in JSC::JSCallbackFunction::call (exec=0x1b3e5158) at <WebKitSrcDir>/JavaScriptCore/API/JSCallbackFunction.cpp:66 #36 0x00748593 in cti_op_call_NotJSFunction (args=0xb0c83380) at <WebKitSrcDir>/JavaScriptCore/jit/JITStubs.cpp:2143 #37 0x0073f3a2 in WTF::doubleHash () at HashTable.h:447 #38 0x0071939d in JSC::JITCode::execute (this=0x160c5294, registerFile=0x160b6cdc, callFrame=0x1b3e5048, globalData=0x8a3ac00, exception=0x8a3ba18) at JITCode.h:77 #39 0x00714cfe in JSC::Interpreter::executeCall (this=0x160b6cd0, callFrame=0x160b9434, function=0x1b803040, callType=JSC::CallTypeJS, callData=@0xb0c835dc, thisValue={u = {asEncodedJSValue = -8128561152, asDouble = -nan(0xffffe1b800000), asBits = {payload = 461373440, tag = -2}}}, args=@0xb0c835f0, exception=0x8a3ba18) at <WebKitSrcDir>/JavaScriptCore/interpreter/Interpreter.cpp:780 #40 0x006d0021 in JSC::call (exec=0x160b9434, functionObject={u = {asEncodedJSValue = -8128548800, asDouble = -nan(0xffffe1b803040), asBits = {payload = 461385792, tag = -2}}}, callType=JSC::CallTypeJS, callData=@0xb0c835dc, thisValue={u = {asEncodedJSValue = -8128561152, asDouble = -nan(0xffffe1b800000), asBits = {payload = 461373440, tag = -2}}}, args=@0xb0c835f0) at <WebKitSrcDir>/JavaScriptCore/runtime/CallData.cpp:38 #41 0x0078264f in JSObjectCallAsFunction (ctx=0x160b9434, object=0x1b803040, thisObject=0x0, argumentCount=2, arguments=0xb0c83668, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSObjectRef.cpp:441 #42 0x903bba6d in CallFindProxyForURL () #43 0x903bdabe in executionContextPerform () #44 0x9010a3c5 in CFRunLoopRunSpecific () #45 0x9010aaa8 in CFRunLoopRunInMode () #46 0x9110c520 in +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] () #47 0x910a8dfd in -[NSThread main] () #48 0x910a89a4 in __NSThread__main__ () #49 0x96934155 in _pthread_start () #50 0x96934012 in thread_start () Current language: auto; currently c++ (gdb) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Safari(7830,0xb0e0a000) malloc: *** error for object 0x1be31c10: Non-aligned pointer being freed (2) *** set a breakpoint in malloc_error_break to debug Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xffffff80 0x04ccf3ad in WebCore::RenderObject::updateImage (this=0x174dda1c, oldImage=0xffffff80, newImage=0x0) at <WebKitSrcDir>/WebCore/rendering/RenderObject.cpp:1909 1909 oldImage->removeClient(this); (gdb) where #0 0x04ccf3ad in WebCore::RenderObject::updateImage (this=0x174dda1c, oldImage=0xffffff80, newImage=0x0) at <WebKitSrcDir>/WebCore/rendering/RenderObject.cpp:1909 #1 0x04cd5cdf in WebCore::RenderObject::setStyle (this=0x174dda1c, style=@0xbfffd6c0) at <WebKitSrcDir>/WebCore/rendering/RenderObject.cpp:1746 #2 0x04c2f202 in WebCore::RenderBlock::styleDidChange (this=0x1c78a86c, diff=WebCore::StyleDifferenceLayout, oldStyle=0x174827e0) at <WebKitSrcDir>/WebCore/rendering/RenderBlock.cpp:257 #3 0x04c6e85b in WebCore::RenderButton::styleDidChange (this=0x1c78a86c, diff=WebCore::StyleDifferenceLayout, oldStyle=0x174827e0) at <WebKitSrcDir>/WebCore/rendering/RenderButton.cpp:85 #4 0x04cd5da6 in WebCore::RenderObject::setStyle (this=0x1c78a86c, style=@0xbfffd7c8) at <WebKitSrcDir>/WebCore/rendering/RenderObject.cpp:1753 #5 0x04cd3815 in WebCore::RenderObject::setAnimatableStyle (this=0x1c78a86c, style=@0xbfffd7fc) at <WebKitSrcDir>/WebCore/rendering/RenderObject.cpp:1679 #6 0x04bb0f87 in WebCore::Node::setRenderStyle (this=0x17464dd0, s=@0xbfffd860) at <WebKitSrcDir>/WebCore/dom/Node.cpp:1436 #7 0x046743f4 in WebCore::Element::recalcStyle (this=0x17464dd0, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:935 #8 0x04763c61 in WebCore::HTMLFormControlElement::recalcStyle (this=0x17464dd0, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/html/HTMLFormControlElement.cpp:225 #9 0x04674755 in WebCore::Element::recalcStyle (this=0x1c7d9e50, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #10 0x04674755 in WebCore::Element::recalcStyle (this=0x1b6b5c00, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #11 0x04674755 in WebCore::Element::recalcStyle (this=0x160c8a90, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #12 0x04674755 in WebCore::Element::recalcStyle (this=0x17795510, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #13 0x04674755 in WebCore::Element::recalcStyle (this=0x1be59640, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #14 0x04674755 in WebCore::Element::recalcStyle (this=0x177ad2a0, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #15 0x04674755 in WebCore::Element::recalcStyle (this=0x1c74c010, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #16 0x04674755 in WebCore::Element::recalcStyle (this=0x1be0e380, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #17 0x04674755 in WebCore::Element::recalcStyle (this=0x1b63f9d0, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #18 0x04674755 in WebCore::Element::recalcStyle (this=0x1bed0bd0, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #19 0x04674755 in WebCore::Element::recalcStyle (this=0x1c708440, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #20 0x04674755 in WebCore::Element::recalcStyle (this=0x174cc020, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #21 0x04674755 in WebCore::Element::recalcStyle (this=0x1779da70, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Element.cpp:969 #22 0x0458d789 in WebCore::Document::recalcStyle (this=0x8d7d600, change=WebCore::Node::Force) at <WebKitSrcDir>/WebCore/dom/Document.cpp:1469 #23 0x0458e8d2 in WebCore::Document::styleSelectorChanged (this=0x8d7d600, updateFlag=WebCore::RecalcStyleImmediately) at <WebKitSrcDir>/WebCore/dom/Document.cpp:2826 #24 0x0458e9c7 in WebCore::Document::removePendingSheet (this=0x8d7d600) at <WebKitSrcDir>/WebCore/dom/Document.cpp:2784 #25 0x047838ae in WebCore::HTMLLinkElement::sheetLoaded (this=0x1db271b0) at <WebKitSrcDir>/WebCore/html/HTMLLinkElement.cpp:341 #26 0x04536205 in WebCore::CSSStyleSheet::checkLoaded (this=0x1db2a340) at <WebKitSrcDir>/WebCore/css/CSSStyleSheet.cpp:214 #27 0x04784f1d in WebCore::HTMLLinkElement::setCSSStyleSheet (this=0x1db271b0, href=@0x1c74461c, baseURL=@0x1c74462c, charset=@0xbfffe10c, sheet=0x1c7445d0) at <WebKitSrcDir>/WebCore/html/HTMLLinkElement.cpp:326 #28 0x04402ca2 in WebCore::CachedCSSStyleSheet::didAddClient (this=0x1c7445d0, c=0x1db271f4) at <WebKitSrcDir>/WebCore/loader/CachedCSSStyleSheet.cpp:56 #29 0x0440a953 in WebCore::CachedResource::addClient (this=0x1c7445d0, client=0x1db271f4) at <WebKitSrcDir>/WebCore/loader/CachedResource.cpp:216 #30 0x04783d86 in WebCore::HTMLLinkElement::process (this=0x1db271b0) at <WebKitSrcDir>/WebCore/html/HTMLLinkElement.cpp:231 #31 0x04783e75 in WebCore::HTMLLinkElement::insertedIntoDocument (this=0x1db271b0) at <WebKitSrcDir>/WebCore/html/HTMLLinkElement.cpp:250 #32 0x04454dd8 in WebCore::notifyChildInserted (child=0x1db271b0) at <WebKitSrcDir>/WebCore/dom/ContainerNode.cpp:978 #33 0x04456e71 in WebCore::ContainerNode::appendChild (this=0x17700580, newChild=@0xbfffe264, ec=@0xbfffe260, shouldLazyAttach=true) at <WebKitSrcDir>/WebCore/dom/ContainerNode.cpp:571 #34 0x049f660a in WebCore::JSNode::appendChild (this=0x8687c00, exec=0x14c2d128) at <WebKitSrcDir>/WebCore/bindings/js/JSNodeCustom.cpp:108 #35 0x049f49f5 in WebCore::jsNodePrototypeFunctionAppendChild (exec=0x14c2d128) at <WebKitSrcDir>/WebKitBuild/Debug/DerivedSources/WebCore/JSNode.cpp:484 #36 0x0125e1db in ?? () #37 0x0071939d in JSC::JITCode::execute (this=0x1be8c094, registerFile=0x14592c4c, callFrame=0x14c2d038, globalData=0x893c400, exception=0x893d218) at JITCode.h:77 #38 0x00714cfe in JSC::Interpreter::executeCall (this=0x14592c40, callFrame=0x8a71254, function=0x1a43bd40, callType=JSC::CallTypeJS, callData=@0xbfffe55c, thisValue={u = {asEncodedJSValue = -8448901120, asDouble = -nan(0xffffe08680000), asBits = {payload = 141033472, tag = -2}}}, args=@0xbfffe570, exception=0x893d218) at <WebKitSrcDir>/JavaScriptCore/interpreter/Interpreter.cpp:780 #39 0x006d0021 in JSC::call (exec=0x8a71254, functionObject={u = {asEncodedJSValue = -8149287616, asDouble = -nan(0xffffe1a43bd40), asBits = {payload = 440646976, tag = -2}}}, callType=JSC::CallTypeJS, callData=@0xbfffe55c, thisValue={u = {asEncodedJSValue = -8448901120, asDouble = -nan(0xffffe08680000), asBits = {payload = 141033472, tag = -2}}}, args=@0xbfffe570) at <WebKitSrcDir>/JavaScriptCore/runtime/CallData.cpp:38 #40 0x048a458e in WebCore::JSMainThreadExecState::call (exec=0x8a71254, functionObject={u = {asEncodedJSValue = -8149287616, asDouble = -nan(0xffffe1a43bd40), asBits = {payload = 440646976, tag = -2}}}, callType=JSC::CallTypeJS, callData=@0xbfffe55c, thisValue={u = {asEncodedJSValue = -8448901120, asDouble = -nan(0xffffe08680000), asBits = {payload = 141033472, tag = -2}}}, args=@0xbfffe570) at JSMainThreadExecState.h:48 #41 0x04d80a11 in WebCore::ScheduledAction::executeFunctionInContext (this=0x1db27620, globalObject=0x8682a80, thisValue={u = {asEncodedJSValue = -8448901120, asDouble = -nan(0xffffe08680000), asBits = {payload = 141033472, tag = -2}}}, context=0x8d7d638) at <WebKitSrcDir>/WebCore/bindings/js/ScheduledAction.cpp:106 #42 0x04d80fcd in WebCore::ScheduledAction::execute (this=0x1db27620, document=0x8d7d600) at <WebKitSrcDir>/WebCore/bindings/js/ScheduledAction.cpp:128 #43 0x04d810b5 in WebCore::ScheduledAction::execute (this=0x1db27620, context=0x8d7d638) at <WebKitSrcDir>/WebCore/bindings/js/ScheduledAction.cpp:76 #44 0x04644d3c in WebCore::DOMTimer::fired (this=0x1d418d30) at <WebKitSrcDir>/WebCore/page/DOMTimer.cpp:144 #45 0x04f27331 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x11ce070) at <WebKitSrcDir>/WebCore/platform/ThreadTimers.cpp:112 #46 0x04f274cd in WebCore::ThreadTimers::sharedTimerFired () at <WebKitSrcDir>/WebCore/platform/ThreadTimers.cpp:90 #47 0x04ddd482 in WebCore::timerFired () at <WebKitSrcDir>/WebCore/platform/mac/SharedTimerMac.mm:86 #48 0x9010a8f5 in CFRunLoopRunSpecific () #49 0x9010aaa8 in CFRunLoopRunInMode () #50 0x9645a2ac in RunCurrentEventLoopInMode () #51 0x9645a0c5 in ReceiveNextEventCommon () #52 0x96459f39 in BlockUntilNextEventMatchingListInMode () #53 0x93cc96d5 in _DPSNextEvent () #54 0x93cc8f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #55 0x00015fdb in ?? () #56 0x93cc1f9f in -[NSApplication run] () #57 0x93c8f1d8 in NSApplicationMain () #58 0x0000a57e in ?? () Current language: auto; currently c++ (gdb) p oldImage $1 = (WebCore::StyleImage *) 0xffffff80 ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done ASSERTION FAILED: !m_deletionHasBegun (./wtf/RefCounted.h:80 bool WTF::RefCountedBase::derefBase()) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x006badd7 in WTF::RefCountedBase::derefBase (this=0x171a74a4) at RefCounted.h:80 80 ASSERT(!m_deletionHasBegun); (gdb) where #0 0x006badd7 in WTF::RefCountedBase::derefBase (this=0x171a74a4) at RefCounted.h:80 #1 0x0070bf73 in WTF::RefCounted<JSC::SharedSymbolTable>::deref (this=0x171a74a4) at RefCounted.h:138 #2 0x0070bfd1 in JSC::FunctionCodeBlock::~FunctionCodeBlock (this=0x1af4b620) at CodeBlock.h:670 #3 0x00706a3c in WTF::deleteOwnedPtr<JSC::FunctionCodeBlock> (ptr=0x1af4b620) at OwnPtrCommon.h:57 #4 0x00706a8b in WTF::OwnPtr<JSC::FunctionCodeBlock>::~OwnPtr (this=0x1711a5b8) at OwnPtr.h:57 #5 0x007045b5 in JSC::FunctionExecutable::~FunctionExecutable (this=0x1711a560) at <WebKitSrcDir>/JavaScriptCore/runtime/Executable.cpp:92 #6 0x006baedd in WTF::RefCounted<JSC::ExecutableBase>::deref (this=0x1711a564) at RefCounted.h:139 #7 0x00770d5c in WTF::derefIfNotNull<JSC::ExecutableBase> (ptr=0x1711a560) at PassRefPtr.h:58 #8 0x00770d71 in WTF::RefPtr<JSC::ExecutableBase>::~RefPtr (this=0x871f32c) at RefPtr.h:58 #9 0x007706a3 in JSC::JSFunction::~JSFunction (this=0x871f300) at <WebKitSrcDir>/JavaScriptCore/runtime/JSFunction.cpp:123 #10 0x006df3cc in JSC::Heap::sweep (this=0x894975c) at <WebKitSrcDir>/JavaScriptCore/runtime/Collector.cpp:1025 #11 0x006e0f4f in JSC::Heap::collectAllGarbage (this=0x894975c) at <WebKitSrcDir>/JavaScriptCore/runtime/Collector.cpp:1230 #12 0x00837c19 in JSC::DefaultGCActivityCallbackPlatformData::trigger (info=0x894975c) at <WebKitSrcDir>/JavaScriptCore/runtime/GCActivityCallbackCF.cpp:57 #13 0x9010a8f5 in CFRunLoopRunSpecific () #14 0x9010aaa8 in CFRunLoopRunInMode () #15 0x9645a2ac in RunCurrentEventLoopInMode () #16 0x9645a0c5 in ReceiveNextEventCommon () #17 0x96459f39 in BlockUntilNextEventMatchingListInMode () #18 0x93cc96d5 in _DPSNextEvent () #19 0x93cc8f88 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #20 0x00015fdb in ?? () #21 0x93cc1f9f in -[NSApplication run] () #22 0x93c8f1d8 in NSApplicationMain () #23 0x0000a57e in ?? () Current language: auto; currently c++ (gdb) ======================================================================== Clean rebuilding, reverting 66327 ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Safari(93386,0xb0e0a000) malloc: *** error for object 0x1cf49e50: Non-aligned pointer being freed (2) *** set a breakpoint in malloc_error_break to debug ASSERTION FAILED: !m_provisionalDocumentLoader->timing()->navigationStart (<WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 void WebCore::FrameLoader::continueLoadAfterWillSubmitForm()) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x046d1ccf in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x881842c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 2453 ASSERT(!m_provisionalDocumentLoader->timing()->navigationStart); (gdb) Current language: auto; currently c++ (gdb) (gdb) where #0 0x046d1ccf in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x881842c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2453 #1 0x046d9b56 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x881842c, formState=@0xbfffe698, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2971 #2 0x046d9ba4 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x881842c, request=@0x8fead00, formState=@0xbfffe754, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2870 #3 0x04bfb1b7 in WebCore::PolicyChecker::checkNavigationPolicy (this=0x8818434, request=@0x8fead00, loader=0x8feaa00, formState=@0xbfffe82c, function=0x46d9b5e <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x881842c) at <WebKitSrcDir>/WebCore/loader/PolicyChecker.cpp:78 #4 0x046d9feb in WebCore::FrameLoader::loadWithDocumentLoader (this=0x881842c, loader=0x8feaa00, type=WebCore::FrameLoadTypeBack, prpFormState=@0xbfffea44) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:1481 #5 0x046dae47 in WebCore::FrameLoader::navigateToDifferentDocument (this=0x881842c, item=0x1bc501c0, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3154 #6 0x046db4eb in WebCore::FrameLoader::loadItem (this=0x881842c, item=0x1bc501c0, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3257 #7 0x047331d8 in WebCore::HistoryController::recursiveGoToItem (this=0x8818530, item=0x1bc501c0, fromItem=0x1b478120, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:595 #8 0x04733348 in WebCore::HistoryController::goToItem (this=0x8818530, targetItem=0x1bc501c0, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:238 #9 0x04bd42c8 in WebCore::Page::goToItem (this=0x11aaac0, item=0x1bc501c0, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/page/Page.cpp:365 #10 0x04bd44aa in WebCore::Page::goBack (this=0x11aaac0) at <WebKitSrcDir>/WebCore/page/Page.cpp:291 #11 0x00dc7425 in -[WebView goBack] (self=0x114b6d0, _cmd=0x96b45dac) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3236 #12 0x00dbc4ee in -[WebView(WebIBActions) goBack:] (self=0x114b6d0, _cmd=0x96b00610, sender=0x11d2df0) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3940 #13 0x000b8147 in ?? () #14 0x93d9ae8f in -[NSApplication sendAction:to:from:] () #15 0x00047af7 in ?? () #16 0x93d9adcc in -[NSControl sendAction:to:] () #17 0x93d9ac52 in -[NSCell _sendActionFrom:] () #18 0x93f45db8 in -[NSSegmentedCell _sendActionFrom:] () #19 0x93d9a2ab in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] () #20 0x93f45ae3 in -[NSSegmentedCell trackMouse:inRect:ofView:untilMouseUp:] () #21 0x93d993b8 in -[NSControl mouseDown:] () #22 0x93d97af7 in -[NSWindow sendEvent:] () #23 0x0003ffaa in ?? () #24 0x0003ff37 in ?? () #25 0x93d646a5 in -[NSApplication sendEvent:] () #26 0x000371cc in ?? () #27 0x93cc1fe7 in -[NSApplication run] () #28 0x93c8f1d8 in NSApplicationMain () #29 0x0000a57e in ?? () (gdb) p m_provisionalDocumentLoader $1 = { <WTF::FastAllocBase> = {<No data fields>}, members of WTF::RefPtr<WebCore::DocumentLoader>: m_ptr = 0x8feaa00 } (gdb) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Safari(93456,0xb0c02000) malloc: *** error for object 0x1cbd9e30: Non-aligned pointer being freed (2) *** set a breakpoint in malloc_error_break to debug Safari(93456,0xb0c02000) malloc: *** error for object 0x1cbd9e30: Non-aligned pointer being freed (2) *** set a breakpoint in malloc_error_break to debug Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 [Switching to process 93456 thread 0x6747] 0x0070f775 in JSC::Identifier::equal (r=0x1751d320, s=0x1bb76cd0, length=14) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 84 if (d[i] != s[i]) (gdb) where #0 0x0070f775 in JSC::Identifier::equal (r=0x1751d320, s=0x1bb76cd0, length=14) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 #1 0x00710364 in JSC::IdentifierUCharBufferTranslator::equal (str=0x1751d320, buf=@0xb0c00598) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:157 #2 0x00710502 in WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator>::equal (a=@0x8a3da18, b=@0xb0c00598) at HashSet.h:104 #3 0x007107da in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::fullLookupForWriting<JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160acd24, key=@0xb0c00598) at HashTable.h:613 #4 0x0071228e in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::addPassingHashCode<JSC::UCharBuffer, JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160acd24, key=@0xb0c00598, extra=@0xb0c00598) at HashTable.h:724 #5 0x007124e5 in WTF::HashSet<WTF::StringImpl*, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*> >::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160acd24, value=@0xb0c00598) at HashSet.h:188 #6 0x00712533 in JSC::IdentifierTable::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160acd20, value={s = 0x1bb76cd0, length = 14}) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:53 #7 0x0070fe24 in JSC::Identifier::add (globalData=0x8a38a00, s=0x1bb76cd0, length=14) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:224 #8 0x007b7dfa in JSC::Identifier::Identifier (this=0xb0c0063c, globalData=0x8a38a00, s=0x1bb76cd0, length=14) at Identifier.h:44 #9 0x007b7e42 in JSC::IdentifierArena::makeIdentifier (this=0x177491b0, globalData=0x8a38a00, characters=0x1bb76cd0, length=14) at ParserArena.h:52 #10 0x007b7e98 in JSC::Lexer::makeIdentifier (this=0x160aaf50, characters=0x1bb76cd0, length=14) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:325 #11 0x007b82f9 in JSC::Lexer::parseString (this=0x160aaf50, lvalp=0xb0c00ea0) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:533 #12 0x007b6dfe in JSC::Lexer::lex (this=0x160aaf50, lvalp=0xb0c00ea0, llocp=0xb0c00ea8, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:986 #13 0x0079e50a in JSC::JSParser::next (this=0xb0c00e5c, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:93 #14 0x0079f17f in JSC::JSParser::consume (this=0xb0c00e5c, expected=JSC::OPENBRACKET) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:101 #15 0x007a69bd in JSC::JSParser::parseArrayLiteral<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1225 #16 0x007a6e46 in JSC::JSParser::parsePrimaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1271 #17 0x007a77a2 in JSC::JSParser::parseMemberExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1375 #18 0x007a7bd8 in JSC::JSParser::parseUnaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1441 #19 0x007a523d in JSC::JSParser::parseBinaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1054 #20 0x007a55c2 in JSC::JSParser::parseConditionalExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1020 #21 0x007a571d in JSC::JSParser::parseAssignmentExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:970 #22 0x007a6c2b in JSC::JSParser::parseExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:945 #23 0x007a7452 in JSC::JSParser::parseExpressionStatement<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:861 #24 0x007a8694 in JSC::JSParser::parseStatement<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:757 #25 0x007a86c6 in JSC::JSParser::parseSourceElements<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:252 #26 0x00791162 in JSC::JSParser::parseProgram (this=0xb0c00e5c) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:236 #27 0x007912a5 in JSC::jsParse (globalData=0x8a38a00, source=0x177798f4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:207 #28 0x007ddf75 in JSC::Parser::parse (this=0x160ab2e0, globalData=0x8a38a00, errLine=0xb0c00f58, errMsg=0xb0c00f54) at <WebKitSrcDir>/JavaScriptCore/parser/Parser.cpp:56 #29 0x0070a5aa in JSC::Parser::parse<JSC::ProgramNode> (this=0x160ab2e0, globalData=0x8a38a00, lexicalGlobalObject=0x1c440000, debugger=0x0, debuggerExecState=0x160ace94, source=@0x177798f4, exception=0xb0c00fc4) at Parser.h:85 #30 0x0070620c in JSC::ProgramExecutable::compileInternal (this=0x177798c0, exec=0x160ace94, scopeChainNode=0x160ab270) at <WebKitSrcDir>/JavaScriptCore/runtime/Executable.cpp:148 #31 0x006e9590 in JSC::ProgramExecutable::compile (this=0x177798c0, exec=0x160ace94, scopeChainNode=0x160ab270) at Executable.h:245 #32 0x006e8ffb in JSC::evaluate (exec=0x160ace94, scopeChain=@0x160ace60, source=@0xb0c01100, thisValue={u = {asEncodedJSValue = -30064771072, asDouble = -nan(0xffff900000000), asBits = {payload = 0, tag = -7}}}) at <WebKitSrcDir>/JavaScriptCore/runtime/Completion.cpp:56 #33 0x0075d9ca in JSEvaluateScript (ctx=0x1c01d158, script=0x1e46b7f0, thisObject=0x0, sourceURL=0x0, startingLineNumber=0, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSBase.cpp:55 #34 0x903bb92f in _JSArrayFromCFArrayOfCFStrings () #35 0x903bc13f in _JSDnsResolveFunctionCallback () #36 0x0075f3d1 in JSC::JSCallbackFunction::call (exec=0x1c01d158) at <WebKitSrcDir>/JavaScriptCore/API/JSCallbackFunction.cpp:66 #37 0x00748593 in cti_op_call_NotJSFunction (args=0xb0c01380) at <WebKitSrcDir>/JavaScriptCore/jit/JITStubs.cpp:2143 #38 0x0073f3a2 in WTF::doubleHash () at HashTable.h:447 #39 0x0071939d in JSC::JITCode::execute (this=0x160b8cb4, registerFile=0x160aafbc, callFrame=0x1c01d048, globalData=0x8a38a00, exception=0x8a39818) at JITCode.h:77 #40 0x00714cfe in JSC::Interpreter::executeCall (this=0x160aafb0, callFrame=0x160ace94, function=0x1c443040, callType=JSC::CallTypeJS, callData=@0xb0c015dc, thisValue={u = {asEncodedJSValue = -8115716096, asDouble = -nan(0xffffe1c440000), asBits = {payload = 474218496, tag = -2}}}, args=@0xb0c015f0, exception=0x8a39818) at <WebKitSrcDir>/JavaScriptCore/interpreter/Interpreter.cpp:780 #41 0x006d0021 in JSC::call (exec=0x160ace94, functionObject={u = {asEncodedJSValue = -8115703744, asDouble = -nan(0xffffe1c443040), asBits = {payload = 474230848, tag = -2}}}, callType=JSC::CallTypeJS, callData=@0xb0c015dc, thisValue={u = {asEncodedJSValue = -8115716096, asDouble = -nan(0xffffe1c440000), asBits = {payload = 474218496, tag = -2}}}, args=@0xb0c015f0) at <WebKitSrcDir>/JavaScriptCore/runtime/CallData.cpp:38 #42 0x0078264f in JSObjectCallAsFunction (ctx=0x160ace94, object=0x1c443040, thisObject=0x0, argumentCount=2, arguments=0xb0c01668, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSObjectRef.cpp:441 #43 0x903bba6d in CallFindProxyForURL () #44 0x903bdabe in executionContextPerform () #45 0x9010a3c5 in CFRunLoopRunSpecific () #46 0x9010aaa8 in CFRunLoopRunInMode () #47 0x9110c520 in +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] () #48 0x910a8dfd in -[NSThread main] () #49 0x910a89a4 in __NSThread__main__ () #50 0x96934155 in _pthread_start () #51 0x96934012 in thread_start () Current language: auto; currently c++ (gdb) ======================================================================== Synced to ToT (66441) and cleanly rebuilt. ======================================================================== $ git svn info Path: . URL: http://svn.webkit.org/repository/webkit/trunk Repository Root: http://svn.webkit.org/repository/webkit Repository UUID: 268f45cc-cd09-0410-ab3c-d52691b4dbfc Revision: 66441 Node Kind: directory Schedule: normal Last Changed Author: mrowe@apple.com Last Changed Rev: 66441 Last Changed Date: 2010-08-30 18:07:09 -0700 (Mon, 30 Aug 2010) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done LEAK: 90 Structure ASSERTION FAILED: !m_provisionalDocumentLoader->timing()->navigationStart (<WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2457 void WebCore::FrameLoader::continueLoadAfterWillSubmitForm()) Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x046bbf13 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x882582c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2457 2457 ASSERT(!m_provisionalDocumentLoader->timing()->navigationStart); (gdb) where #0 0x046bbf13 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm (this=0x882582c) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2457 #1 0x046c3de2 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0x882582c, formState=@0xbfffe698, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2975 #2 0x046c3e30 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x882582c, request=@0x8a68700, formState=@0xbfffe754, shouldContinue=true) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:2874 #3 0x04be55d3 in WebCore::PolicyChecker::checkNavigationPolicy (this=0x8825834, request=@0x8a68700, loader=0x8a68400, formState=@0xbfffe82c, function=0x46c3dea <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x882582c) at <WebKitSrcDir>/WebCore/loader/PolicyChecker.cpp:78 #4 0x046c4277 in WebCore::FrameLoader::loadWithDocumentLoader (this=0x882582c, loader=0x8a68400, type=WebCore::FrameLoadTypeBack, prpFormState=@0xbfffea44) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:1481 #5 0x046c50d3 in WebCore::FrameLoader::navigateToDifferentDocument (this=0x882582c, item=0x1b488400, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3158 #6 0x046c5777 in WebCore::FrameLoader::loadItem (this=0x882582c, item=0x1b488400, loadType=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/FrameLoader.cpp:3261 #7 0x0471d49c in WebCore::HistoryController::recursiveGoToItem (this=0x8825930, item=0x1b488400, fromItem=0x1b6017d0, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:595 #8 0x0471d60c in WebCore::HistoryController::goToItem (this=0x8825930, targetItem=0x1b488400, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/loader/HistoryController.cpp:238 #9 0x04bbe6e4 in WebCore::Page::goToItem (this=0x112c760, item=0x1b488400, type=WebCore::FrameLoadTypeBack) at <WebKitSrcDir>/WebCore/page/Page.cpp:365 #10 0x04bbe8c6 in WebCore::Page::goBack (this=0x112c760) at <WebKitSrcDir>/WebCore/page/Page.cpp:291 #11 0x00dc73a1 in -[WebView goBack] (self=0x11370f0, _cmd=0x96b45dac) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3236 #12 0x00dbc46a in -[WebView(WebIBActions) goBack:] (self=0x11370f0, _cmd=0x96b00610, sender=0x11e2870) at <WebKitSrcDir>/WebKit/mac/WebView/WebView.mm:3940 #13 0x000b8147 in ?? () #14 0x93d9ae8f in -[NSApplication sendAction:to:from:] () #15 0x00047af7 in ?? () #16 0x93d9adcc in -[NSControl sendAction:to:] () #17 0x93d9ac52 in -[NSCell _sendActionFrom:] () #18 0x93f45db8 in -[NSSegmentedCell _sendActionFrom:] () #19 0x93d9a2ab in -[NSCell trackMouse:inRect:ofView:untilMouseUp:] () #20 0x93f45ae3 in -[NSSegmentedCell trackMouse:inRect:ofView:untilMouseUp:] () #21 0x93d993b8 in -[NSControl mouseDown:] () #22 0x93d97af7 in -[NSWindow sendEvent:] () #23 0x0003ffaa in ?? () #24 0x0003ff37 in ?? () #25 0x93d646a5 in -[NSApplication sendEvent:] () #26 0x000371cc in ?? () #27 0x93cc1fe7 in -[NSApplication run] () #28 0x93c8f1d8 in NSApplicationMain () #29 0x0000a57e in ?? () Current language: auto; currently c++ (gdb) ======================================================================== $ debug-safari --debug Starting Safari under gdb with DYLD_FRAMEWORK_PATH set to point to built WebKit in <WebKitSrcDir>/WebKitBuild/Debug. GNU gdb 6.3.50-20050815 (Apple version gdb-967) (Tue Jul 14 02:11:58 UTC 2009) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries ............................. done (gdb) r Starting program: /Applications/Safari.app/Contents/MacOS/Safari Reading symbols for shared libraries ++++++++++++++++++++++++++++............................................................................................. done Reading symbols for shared libraries . done Reading symbols for shared libraries .... done Reading symbols for shared libraries .. done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries .. done Reading symbols for shared libraries .. done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xa1b1c1d3 [Switching to process 23494 thread 0x6e0b] 0x0070f75d in JSC::Identifier::equal (r=0x1772bb70, s=0x1bc801d0, length=13) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 84 if (d[i] != s[i]) (gdb) where #0 0x0070f75d in JSC::Identifier::equal (r=0x1772bb70, s=0x1bc801d0, length=13) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:84 #1 0x0071034c in JSC::IdentifierUCharBufferTranslator::equal (str=0x1772bb70, buf=@0xb0c005d8) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:157 #2 0x007104ea in WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator>::equal (a=@0x8a52da0, b=@0xb0c005d8) at HashSet.h:104 #3 0x007107c2 in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::fullLookupForWriting<JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160b2494, key=@0xb0c005d8) at HashTable.h:613 #4 0x00712276 in WTF::HashTable<WTF::StringImpl*, WTF::StringImpl*, WTF::IdentityExtractor<WTF::StringImpl*>, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*>, WTF::HashTraits<WTF::StringImpl*> >::addPassingHashCode<JSC::UCharBuffer, JSC::UCharBuffer, WTF::HashSetTranslatorAdapter<WTF::StringImpl*, WTF::HashTraits<WTF::StringImpl*>, JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> > (this=0x160b2494, key=@0xb0c005d8, extra=@0xb0c005d8) at HashTable.h:724 #5 0x007124cd in WTF::HashSet<WTF::StringImpl*, WTF::StringHash, WTF::HashTraits<WTF::StringImpl*> >::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160b2494, value=@0xb0c005d8) at HashSet.h:188 #6 0x0071251b in JSC::IdentifierTable::add<JSC::UCharBuffer, JSC::IdentifierUCharBufferTranslator> (this=0x160b2490, value={s = 0x1bc801d0, length = 13}) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:53 #7 0x0070fe0c in JSC::Identifier::add (globalData=0x8a4da00, s=0x1bc801d0, length=13) at <WebKitSrcDir>/JavaScriptCore/runtime/Identifier.cpp:224 #8 0x007b7de2 in JSC::Identifier::Identifier (this=0xb0c0067c, globalData=0x8a4da00, s=0x1bc801d0, length=13) at Identifier.h:44 #9 0x007b7e2a in JSC::IdentifierArena::makeIdentifier (this=0x177aafa0, globalData=0x8a4da00, characters=0x1bc801d0, length=13) at ParserArena.h:52 #10 0x007b7e80 in JSC::Lexer::makeIdentifier (this=0x160b2e00, characters=0x1bc801d0, length=13) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:325 #11 0x007b82e1 in JSC::Lexer::parseString (this=0x160b2e00, lvalp=0xb0c00ea0) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:533 #12 0x007b6de6 in JSC::Lexer::lex (this=0x160b2e00, lvalp=0xb0c00ea0, llocp=0xb0c00ea8, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/Lexer.cpp:986 #13 0x0079e4f2 in JSC::JSParser::next (this=0xb0c00e5c, lexType=JSC::Lexer::IdentifyReservedWords) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:93 #14 0x007a6aa8 in JSC::JSParser::parseArrayLiteral<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1243 #15 0x007a6e2e in JSC::JSParser::parsePrimaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1271 #16 0x007a778a in JSC::JSParser::parseMemberExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1375 #17 0x007a7bc0 in JSC::JSParser::parseUnaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1441 #18 0x007a5225 in JSC::JSParser::parseBinaryExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1054 #19 0x007a55aa in JSC::JSParser::parseConditionalExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:1020 #20 0x007a5705 in JSC::JSParser::parseAssignmentExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:970 #21 0x007a6c13 in JSC::JSParser::parseExpression<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:945 #22 0x007a743a in JSC::JSParser::parseExpressionStatement<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:861 #23 0x007a867c in JSC::JSParser::parseStatement<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:757 #24 0x007a86ae in JSC::JSParser::parseSourceElements<JSC::ASTBuilder> (this=0xb0c00e5c, context=@0xb0c00bb4) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:252 #25 0x0079114a in JSC::JSParser::parseProgram (this=0xb0c00e5c) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:236 #26 0x0079128d in JSC::jsParse (globalData=0x8a4da00, source=0x1bcb1934) at <WebKitSrcDir>/JavaScriptCore/parser/JSParser.cpp:207 #27 0x007ddf5d in JSC::Parser::parse (this=0x16029de0, globalData=0x8a4da00, errLine=0xb0c00f58, errMsg=0xb0c00f54) at <WebKitSrcDir>/JavaScriptCore/parser/Parser.cpp:56 #28 0x0070a592 in JSC::Parser::parse<JSC::ProgramNode> (this=0x16029de0, globalData=0x8a4da00, lexicalGlobalObject=0x1c300000, debugger=0x0, debuggerExecState=0x160b5204, source=@0x1bcb1934, exception=0xb0c00fc4) at Parser.h:85 #29 0x007061f4 in JSC::ProgramExecutable::compileInternal (this=0x1bcb1900, exec=0x160b5204, scopeChainNode=0x160b4f70) at <WebKitSrcDir>/JavaScriptCore/runtime/Executable.cpp:148 #30 0x006e9578 in JSC::ProgramExecutable::compile (this=0x1bcb1900, exec=0x160b5204, scopeChainNode=0x160b4f70) at Executable.h:245 #31 0x006e8fe3 in JSC::evaluate (exec=0x160b5204, scopeChain=@0x160b51d0, source=@0xb0c01100, thisValue={u = {asEncodedJSValue = -30064771072, asDouble = -nan(0xffff900000000), asBits = {payload = 0, tag = -7}}}) at <WebKitSrcDir>/JavaScriptCore/runtime/Completion.cpp:56 #32 0x0075d9b2 in JSEvaluateScript (ctx=0x1beed158, script=0x1935eee0, thisObject=0x0, sourceURL=0x0, startingLineNumber=0, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSBase.cpp:55 #33 0x903bb92f in _JSArrayFromCFArrayOfCFStrings () #34 0x903bc13f in _JSDnsResolveFunctionCallback () #35 0x0075f3b9 in JSC::JSCallbackFunction::call (exec=0x1beed158) at <WebKitSrcDir>/JavaScriptCore/API/JSCallbackFunction.cpp:66 #36 0x0074857b in cti_op_call_NotJSFunction (args=0xb0c01380) at <WebKitSrcDir>/JavaScriptCore/jit/JITStubs.cpp:2143 #37 0x0073f38a in WTF::doubleHash () at HashTable.h:447 #38 0x00719385 in JSC::JITCode::execute (this=0x160c1874, registerFile=0x160b2e6c, callFrame=0x1beed048, globalData=0x8a4da00, exception=0x8a4e818) at JITCode.h:77 #39 0x00714ce6 in JSC::Interpreter::executeCall (this=0x160b2e60, callFrame=0x160b5204, function=0x1c303040, callType=JSC::CallTypeJS, callData=@0xb0c015dc, thisValue={u = {asEncodedJSValue = -8117026816, asDouble = -nan(0xffffe1c300000), asBits = {payload = 472907776, tag = -2}}}, args=@0xb0c015f0, exception=0x8a4e818) at <WebKitSrcDir>/JavaScriptCore/interpreter/Interpreter.cpp:780 #40 0x006d0009 in JSC::call (exec=0x160b5204, functionObject={u = {asEncodedJSValue = -8117014464, asDouble = -nan(0xffffe1c303040), asBits = {payload = 472920128, tag = -2}}}, callType=JSC::CallTypeJS, callData=@0xb0c015dc, thisValue={u = {asEncodedJSValue = -8117026816, asDouble = -nan(0xffffe1c300000), asBits = {payload = 472907776, tag = -2}}}, args=@0xb0c015f0) at <WebKitSrcDir>/JavaScriptCore/runtime/CallData.cpp:38 #41 0x00782637 in JSObjectCallAsFunction (ctx=0x160b5204, object=0x1c303040, thisObject=0x0, argumentCount=2, arguments=0xb0c01668, exception=0x0) at <WebKitSrcDir>/JavaScriptCore/API/JSObjectRef.cpp:441 #42 0x903bba6d in CallFindProxyForURL () #43 0x903bdabe in executionContextPerform () #44 0x9010a3c5 in CFRunLoopRunSpecific () #45 0x9010aaa8 in CFRunLoopRunInMode () #46 0x9110c520 in +[NSURLConnection(NSURLConnectionReallyInternal) _resourceLoadLoop:] () #47 0x910a8dfd in -[NSThread main] () #48 0x910a89a4 in __NSThread__main__ () #49 0x96934155 in _pthread_start () #50 0x96934012 in thread_start () Current language: auto; currently c++ (gdb) ========================================================================

As long as these crashes are only on one computer, we probably won’t make much progress. You may want to start over with a clean build since nobody else is seeing these crashes.

As I noted above, I did try clean rebuild. I did both - build-webkit --clean - rm -rf WebKitBuild That said, I don't claim that my environment is perfect. Feel free to close this bug if nobody else see the issues.

If anyone else can reproduce the problem, please add a comment.

I observed the issues on 2 machines. (Not absolutely sure about one, though). Both are running OS X 10.5. Reduced the importance to P2.

(In reply to comment #11) > I observed the issues on 2 machines. (Not absolutely sure about one, though). > Both are running OS X 10.5. > > Reduced the importance to P2. Can you make a reduced test case? It's hard to do anything when no one else can repro.

I tried back & forth tabs and pages for 10-20 times and got: Safari(84216,0x1163ac000) malloc: *** error for object 0x11ecce8c0: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug I'm not sure if this is related to this bug though.

Can you get it to crash if you disable plug-ins? If not, does this happen with a newest version of Flash available from Adobe?

Sorry, I couldn't understand the issue well enough to derive a reduced test. I cannot try disabling plug-ins either, because I upgraded my machine to OS X 10.6 yesterday and haven't seen the issue since then. The other OS X 10.5 machine I think I observed the issue on is out of my control (one of Chromium canaries) and not showing the issue as of now. I do agree that plug-ins can causing this, seeing the rather random crashes. Sorry for raising a possibly (likely?) false alarm, but I did repeat reverting and reapplying r66327 two times, and I didn't observe the issue when the patch reverted. I close this as RESOLVED INVALID.

In 10.6, you could try forcing 32-bit mode for Safari (via Finder's Get Info window). This changes plug-in behavior substantially, and of course, this also affects memory smashers a lot.