Does this occur with consistency on some site? If so what site?

No, it was the only regular crash that I got on my other computer during usual browsing on arbitrary web sites (at least I haven't noticed a pattern). I haven't seen it at all on this machine (it's also an amd64 build and exactly the same code since I am sharing the .deb packages between machines). With webkitgtk built with --disable-jit, I didn't see this crash anymore (and epiphany only rarely crashes with that), but I suppose that's expected.

This still occurs for me very consistently even after upgrade to 1.4.1. It never happened for me when I compiled WebKit without the JIT (I only rarely got the crashes then). Tracebacks are the same (minus the memory addresses, of course :).

Pasting the stack so that it will show up in searches: (gdb) bt full #0 0x0000000000000000 in ?? () No symbol table info available. #1 0x00007ffff55eeb19 in ctiTrampoline () from /usr/lib/libwebkitgtk-3.0.so.0 No symbol table info available. #2 0x00007ffff55b62ff in execute (this=0x7ffff7eac9d8, callFrame=0x200, function=0xffff000000000002, callType=<value optimized out>, callData=<value optimized out>, thisValue=<value optimized out>, args=...) at ../Source/JavaScriptCore/jit/JITCode.h:77 No locals. #3 JSC::Interpreter::executeCall (this=0x7ffff7eac9d8, callFrame=0x200, function=0xffff000000000002, callType=<value optimized out>, callData=<value optimized out>, thisValue=<value optimized out>, args=...) at ../Source/JavaScriptCore/interpreter/Interpreter.cpp:844 newCodeBlock = <value optimized out> callDataScopeChain = <value optimized out> compileError = 0x7fffd3266038 globalObjectScope = {m_dynamicGlobalObjectSlot = @0x7fffe4890dd0, m_savedDynamicGlobalObject = 0x0} registerOffset = <value optimized out> end = 0x0 scopeChain = 0x7fffc4084e50 argCount = <value optimized out> globalObjectScope = {m_dynamicGlobalObjectSlot = @0x7ffff26367f0, m_savedDynamicGlobalObject = 0x7ffff26261e6} oldEnd = 0x7fffd3266000 dst = <value optimized out> #4 0x00007ffff563ff8d in JSC::call (exec=<value optimized out>, functionObject=<value optimized out>, callType=<value optimized out>, callData=<value optimized out>, thisValue=<value optimized out>, args=<value optimized out>) at ../Source/JavaScriptCore/runtime/CallData.cpp:38 No locals. #5 0x00007ffff4a68215 in call (this=<value optimized out>, globalObject=0x7fffd1b5ebd0, thisValue=..., context=0x7fffd22e5c60) at ../Source/WebCore/bindings/js/JSMainThreadExecState.h:48 No locals. #6 WebCore::ScheduledAction::executeFunctionInContext ( this=<value optimized out>, globalObject=0x7fffd1b5ebd0, thisValue=..., context=0x7fffd22e5c60) at ../Source/WebCore/bindings/js/ScheduledAction.cpp:106 callData = {native = {function = 0x7fffc4084e50}, js = { functionExecutable = 0x7fffc4084e50, scopeChain = 0x7fffc5846a70}} callType = JSC::CallTypeJS exec = 0x7fffd1b5ec58 args = {static inlineCapacity = 8, m_buffer = 0x7fffffffd1a0, m_size = 0, m_isUsingInlineBuffer = true, m_vector = {m_size = 0, m_buffer = {<WTF::VectorBufferBase<JSC::Register>> = { m_buffer = 0x7fffffffd1a0, m_capacity = 8}, static m_inlineBufferSize = 64, m_inlineBuffer = { buffer = "\240\336 \362\377\177\000\000a\366\367\361\377\177\000\000\300\366a\001\000\000\000\000\020I\311\001\000\000\000\000\a\000\000\000\000\000\000\000\346ab\362\377\177\000\000\002\000\000\200\000\000\000\000\333]b\362\377\177\000"}}}, m_markSet = 0x0} size = 0 #7 0x00007ffff4a68813 in WebCore::ScheduledAction::execute ( this=<value optimized out>, document=0x7fffd22e5c00) at ../Source/WebCore/bindings/js/ScheduledAction.cpp:128 window = 0x7fffd1b5ebd0 #8 0x00007ffff4e0b330 in WebCore::DOMTimer::fired (this=0x7fffcd0bf548) at ../Source/WebCore/page/DOMTimer.cpp:148 context = 0x7fffd22e5c60 gestureIndicator = {static s_processingUserGesture = WebCore::PossiblyProcessingUserGesture, m_previousValue = WebCore::PossiblyProcessingUserGesture} cookie = {first = 0x0, second = 0} #9 0x00007ffff4ec7e52 in WebCore::ThreadTimers::sharedTimerFiredInternal ( this=0x7fffe42ad910) at ../Source/WebCore/platform/ThreadTimers.cpp:112 timer = 0x7fffcd0bf548 interval = 0 fireTime = 1303135638.7455771 timeToQuit = 1303135638.795577 #10 0x00007ffff48dfc02 in WebCore::timeout_cb () at ../Source/WebCore/platform/gtk/SharedTimerGtk.cpp:49 No locals. #11 0x00007ffff1f644eb in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 No symbol table info available. #12 0x00007ffff1f62bcd in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 No symbol table info available. #13 0x00007ffff1f633a8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 No symbol table info available. #14 0x00007ffff1f639f2 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 No symbol table info available. #15 0x00007ffff3d76d9d in gtk_main () from /usr/lib/libgtk-3.so.0 No symbol table info available. #16 0x0000000000430ed4 in main (argc=1, argv=0x7fffffffe708) at ephy-main.c:752 option_context = <value optimized out> option_group = <value optimized out> proxy = <value optimized out> error = 0x0 user_time = 18104725 arbitrary_url = <value optimized out> (gdb)

Do you mind confirming that this happens with the latest stable releases?

(In reply to comment #5) > Do you mind confirming that this happens with the latest stable releases? Would you be willing to build a debug build and try to get a debug stack trace? I'm also CCing some of the JSC developers. Perhaps they will see something right away in the stack trace.

Hi, I'd be very happy to try out with the debug build as well. I see that there might be more things than just debug symbols (which are included in my build already) such as assertions, so I'll try that next. Not sure when I'll have time to try it out, especially since I won't have access to this computer next week.

Going to close this since it's unlikely that we will be able to patch the 1.3 series.