Reliably reproduces on http://blog.cnyes.com/My/itamian/article316071, but much more common with facebook.com + certain extensions. I'm distilling a repro now. 0x017b00e8 [Google Chrome Framework - FrameLoader.cpp:3072] WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions 0x01565a5d [Google Chrome Framework - Document.cpp:2528] WebCore::Document::processHttpEquiv 0x016c17a3 [Google Chrome Framework - HTMLMetaElement.cpp:76] WebCore::HTMLMetaElement::process 0x0154b2d7 [Google Chrome Framework - ContainerNode.cpp:632] WebCore::ContainerNode::parserAddChild 0x016ff038 [Google Chrome Framework - HTMLConstructionSite.cpp:98] WebCore::HTMLConstructionSite::attach<WebCore::Element> 0x016feba8 [Google Chrome Framework - HTMLConstructionSite.cpp:233] WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement 0x0171bfa1 [Google Chrome Framework - HTMLTreeBuilder.cpp:2735] WebCore::HTMLTreeBuilder::processStartTagForInHead 0x0171de9e [Google Chrome Framework - HTMLTreeBuilder.cpp:747] WebCore::HTMLTreeBuilder::processStartTagForInBody 0x0171f7cd [Google Chrome Framework - HTMLTreeBuilder.cpp:1337] WebCore::HTMLTreeBuilder::processStartTag 0x0172159c [Google Chrome Framework - HTMLTreeBuilder.cpp:485] WebCore::HTMLTreeBuilder::processToken 0x0172164f [Google Chrome Framework - HTMLTreeBuilder.cpp:466] WebCore::HTMLTreeBuilder::constructTreeFromToken 0x016ff423 [Google Chrome Framework - HTMLDocumentParser.cpp:234] WebCore::HTMLDocumentParser::pumpTokenizer 0x017009be [Google Chrome Framework - HTMLDocumentParser.cpp:183] WebCore::HTMLDocumentParser::insert 0x0170043e [Google Chrome Framework - HTMLDocumentParser.cpp:518] WebCore::HTMLDocumentParser::parseDocumentFragment 0x01691762 [Google Chrome Framework - HTMLElement.cpp:353] WebCore::createFragmentFromSource 0x016920f1 [Google Chrome Framework - HTMLElement.cpp:375] WebCore::HTMLElement::setInnerHTML 0x01bd6c84 [Google Chrome Framework - V8HTMLElement.cpp:168] WebCore::HTMLElementInternal::innerHTMLAttrSetter 0x00e3416e [Google Chrome Framework - objects.cc:1580] v8::internal::JSObject::SetPropertyWithCallback 0x00e487f4 [Google Chrome Framework - objects.cc:1865] v8::internal::JSObject::SetProperty 0x00e48d27 [Google Chrome Framework - objects.cc:1538] v8::internal::JSObject::SetProperty 0x00e01465 [Google Chrome Framework - ic.cc:1305] v8::internal::StoreIC::Store 0x00e01926 [Google Chrome Framework - ic.cc:1610] v8::internal::StoreIC_Miss
Created attachment 67724 [details] Testcase
Created attachment 67727 [details] Patch
Comment on attachment 67727 [details] Patch Precisely.
Comment on attachment 67727 [details] Patch Clearing flags on attachment: 67727 Committed r67627: <http://trac.webkit.org/changeset/67627>
All reviewed patches have been landed. Closing bug.
http://trac.webkit.org/changeset/67627 might have broken Chromium Win Release The following changes are on the blame list: http://trac.webkit.org/changeset/67626 http://trac.webkit.org/changeset/67627 http://trac.webkit.org/changeset/67628 http://trac.webkit.org/changeset/67629 http://trac.webkit.org/changeset/67630 http://trac.webkit.org/changeset/67631