This stems from http://code.google.com/p/chromium/issues/detail?id=73120 The test page is a 22k table. Some JS code is calling table.rows for each element at least twice. Currently, we create a new HTMLTableRowsCollection every time table.rows is called. This means that the length is potentially recalculated every time table.rows is used. In the example, the DOM is not mutated so we could potentially reuse the CollectionCache to avoid the bad behavior. Patch forthcoming.
Created attachment 97451 [details] Patch
Comment on attachment 97451 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=97451&action=review > Source/WebCore/html/HTMLTableElement.cpp:630 > + m_collectionCache = adoptPtr(new CollectionCache()); I usually don’t put in the parentheses in cases like this.
Comment on attachment 97451 [details] Patch Clearing flags on attachment: 97451 Committed r89035: <http://trac.webkit.org/changeset/89035>
All reviewed patches have been landed. Closing bug.
I am seeing crashes when running dom/html/level2/html/HTMLCollection01.html and other tests now. Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000098 0 com.apple.WebCore 0x000000010fe13478 WTF::OwnPtr<WebCore::CollectionCache>::operator!() const + 8 (OwnPtr.h:65) 1 com.apple.WebCore 0x000000010fe8b0e9 WebCore::HTMLTableElement::collectionCache() const + 41 (HTMLTableElement.cpp:629) 2 com.apple.WebCore 0x000000010fe8ed18 WebCore::HTMLTableRowsCollection::HTMLTableRowsCollection(WTF::PassRefPtr<WebCore::HTMLTableElement>) + 72 (HTMLTableRowsCollection.cpp:153) Caused by this patch?
Yup, this patch makes incorrect use of PassRefPtr.