These crashes look bad; they are occurring in random locations that would be indicative of heap corruption. I would suggest rolling out r91332 and see if the crashes reliably go away. On 10.5: Thread 0 Crashed: 0 DumpRenderTree 0x009214fe v8::internal::HeapObject::map_word() + 10 1 DumpRenderTree 0x00921525 v8::internal::HeapObject::map() + 17 2 DumpRenderTree 0x00923969 v8::internal::HeapObject::GetHeap() + 73 3 DumpRenderTree 0x00a7ae03 v8::internal::HeapObject::HeapObjectShortPrint(v8::internal::StringStream*) + 27 4 DumpRenderTree 0x00a7b8d2 v8::internal::Object::ShortPrint(v8::internal::StringStream*) + 124 5 DumpRenderTree 0x00b514cd v8::internal::StringStream::PrintObject(v8::internal::Object*) + 31 6 DumpRenderTree 0x00b50f9e v8::internal::StringStream::Add(v8::internal::Vector<char const>, v8::internal::Vector<v8::internal::FmtElm>) + 1076 7 DumpRenderTree 0x00b51432 v8::internal::StringStream::Add(char const*, v8::internal::FmtElm, v8::internal::FmtElm) + 126 8 DumpRenderTree 0x0099d976 v8::internal::JavaScriptFrame::Print(v8::internal::StringStream*, v8::internal::StackFrame::PrintMode, int) const + 2186 9 DumpRenderTree 0x00b5e43c __ZN2v88internalL11PrintFramesEPNS0_12StringStreamENS0_10StackFrame9PrintModeE + 84 10 DumpRenderTree 0x00b5f41e v8::internal::Isolate::PrintStack(v8::internal::StringStream*) + 232 11 DumpRenderTree 0x00b5f4db v8::internal::Isolate::PrintStack() + 139 12 DumpRenderTree 0x00950e4a V8_Fatal + 188 13 DumpRenderTree 0x00b618ee __ZL11CheckHelperPKciS0_b + 74 14 DumpRenderTree 0x00b6276c v8::internal::TypeFeedbackOracle::SetInfo(unsigned int, v8::internal::Object*) + 78 15 DumpRenderTree 0x00b629e6 v8::internal::TypeFeedbackOracle::PopulateMap(v8::internal::Handle<v8::internal::Code>) + 480 16 DumpRenderTree 0x00b62be1 v8::internal::TypeFeedbackOracle::TypeFeedbackOracle(v8::internal::Handle<v8::internal::Code>, v8::internal::Handle<v8::internal::Context>) + 75 17 DumpRenderTree 0x00957b1c __ZN2v88internalL18MakeCrankshaftCodeEPNS0_15CompilationInfoE + 1528 18 DumpRenderTree 0x00957fad __ZN2v88internalL8MakeCodeEPNS0_15CompilationInfoE + 131 19 DumpRenderTree 0x0095811f v8::internal::Compiler::CompileLazy(v8::internal::CompilationInfo*) + 327 20 DumpRenderTree 0x009a9f48 __ZN2v88internalL17CompileLazyHelperEPNS0_15CompilationInfoENS0_18ClearExceptionFlagE + 168 21 DumpRenderTree 0x009a9fe4 v8::internal::CompileOptimized(v8::internal::Handle<v8::internal::JSFunction>, int, v8::internal::ClearExceptionFlag) + 60 22 DumpRenderTree 0x00b04886 v8::internal::Runtime_LazyRecompile(v8::internal::Arguments, v8::internal::Isolate*) + 480 23 ??? 0x0664e0d6 0 + 107274454 24 ??? 0x0665f07c 0 + 107343996 25 ??? 0x1e5214ec 0 + 508695788 26 ??? 0x06665d13 0 + 107371795 27 ??? 0x1c8e57dc 0 + 479090652 28 ??? 0x0664f47f 0 + 107279487 29 ??? 0x1c8ef69b 0 + 479131291 30 ??? 0x1c8e925c 0 + 479105628 31 ??? 0x06655fa2 0 + 107306914 32 ??? 0x0665efd6 0 + 107343830 33 ??? 0x0664fa62 0 + 107280994 34 DumpRenderTree 0x00980733 __ZN2v88internalL6InvokeEbNS0_6HandleINS0_10JSFunctionEEENS1_INS0_6ObjectEEEiPPPS4_Pb + 483 35 DumpRenderTree 0x00980d81 v8::internal::Execution::Call(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) + 53 36 DumpRenderTree 0x00920001 v8::Script::Run() + 579 37 DumpRenderTree 0x00ec52c3 WebCore::V8Proxy::runScript(v8::Handle<v8::Script>, bool) + 467 38 DumpRenderTree 0x00ec5674 WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) + 596 39 DumpRenderTree 0x00e99942 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 216 40 DumpRenderTree 0x010a335d WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 427 41 DumpRenderTree 0x010a4369 WebCore::ScriptElement::prepareScript(WTF::TextPosition<WTF::OneBasedNumber> const&, WebCore::ScriptElement::LegacyTypeSupport) + 1589 42 DumpRenderTree 0x002800e0 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition<WTF::OneBasedNumber> const&) + 344 43 DumpRenderTree 0x00280d4f WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition<WTF::OneBasedNumber> const&) + 155 44 DumpRenderTree 0x002738aa WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 282 45 DumpRenderTree 0x00273959 WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 139 46 DumpRenderTree 0x00273fe6 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 650 47 DumpRenderTree 0x002742de WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 180 48 DumpRenderTree 0x002748a6 WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 302 49 DumpRenderTree 0x01013670 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, int, bool) + 210 50 DumpRenderTree 0x0120b203 WebCore::DocumentWriter::addData(char const*, int, bool) + 109 51 DumpRenderTree 0x0120b290 WebCore::DocumentWriter::endIfNotLoadingMainResource() + 138 52 DumpRenderTree 0x0120b2d8 WebCore::DocumentWriter::end() + 38 53 DumpRenderTree 0x012017c9 WebCore::DocumentLoader::finishedLoading() + 81 54 DumpRenderTree 0x0121babc WebCore::FrameLoader::finishedLoading() + 72 55 DumpRenderTree 0x0122ac02 WebCore::MainResourceLoader::didFinishLoading(double) + 338 56 DumpRenderTree 0x0123d343 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 47 57 DumpRenderTree 0x0007dc03 WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader*, double) + 221 58 DumpRenderTree 0x01bbd953 webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) + 669 59 DumpRenderTree 0x01be840b (anonymous namespace)::RequestProxy::NotifyCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) + 61 60 DumpRenderTree 0x01be8887 void DispatchToMethod<(anonymous namespace)::RequestProxy, void ((anonymous namespace)::RequestProxy::*)(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&), net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time>((anonymous namespace)::RequestProxy*, void ((anonymous namespace)::RequestProxy::*)(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&), Tuple3<net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> const&) + 93 61 DumpRenderTree 0x01be88c2 RunnableMethod<(anonymous namespace)::RequestProxy, void ((anonymous namespace)::RequestProxy::*)(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&), Tuple3<net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time> >::Run() + 52 62 DumpRenderTree 0x005e1c58 MessageLoop::RunTask(Task*) + 312 63 DumpRenderTree 0x005e1deb MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 53 64 DumpRenderTree 0x005e2699 MessageLoop::DoWork() + 253 65 DumpRenderTree 0x005a9d11 base::MessagePumpCFRunLoopBase::RunWork() + 77 66 DumpRenderTree 0x005a9e89 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 23 67 com.apple.CoreFoundation 0x912e23c5 CFRunLoopRunSpecific + 3141 68 com.apple.CoreFoundation 0x912e2aa8 CFRunLoopRunInMode + 88 69 com.apple.HIToolbox 0x90f4a2ac RunCurrentEventLoopInMode + 283 70 com.apple.HIToolbox 0x90f4a0c5 ReceiveNextEventCommon + 374 71 com.apple.HIToolbox 0x90f49f39 BlockUntilNextEventMatchingListInMode + 106 72 com.apple.AppKit 0x91c946d5 _DPSNextEvent + 657 73 com.apple.AppKit 0x91c93f88 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 74 com.apple.AppKit 0x91c8cf9f -[NSApplication run] + 795 75 DumpRenderTree 0x005a97fa base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 256 76 DumpRenderTree 0x005a9b3b base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 143 77 DumpRenderTree 0x005e2990 MessageLoop::RunInternal() + 200 78 DumpRenderTree 0x005e29ab MessageLoop::RunHandler() + 17 79 DumpRenderTree 0x005e2a0f MessageLoop::Run() + 35 80 DumpRenderTree 0x001af17b webkit_support::RunMessageLoop() + 19 81 DumpRenderTree 0x0003d7cb TestShell::waitTestFinished() + 343 (TestShellMac.mm:121) 82 DumpRenderTree 0x00038638 TestShell::runFileTest(TestParams const&) + 654 (TestShell.cpp:215) 83 DumpRenderTree 0x000120b8 __ZL7runTestR9TestShellR10TestParamsRKSsb + 958 84 DumpRenderTree 0x00012852 main + 1910 (DumpRenderTree.cpp:224) 85 DumpRenderTree 0x00002b76 start + 54 On 10.6: Thread 5 Crashed: IOThread 0 libSystem.B.dylib 0x928854ee __semwait_signal_nocancel + 10 1 libSystem.B.dylib 0x928853d2 nanosleep$NOCANCEL$UNIX2003 + 166 2 libSystem.B.dylib 0x929002a6 usleep$NOCANCEL$UNIX2003 + 61 3 libSystem.B.dylib 0x92921959 __abort + 136 4 libSystem.B.dylib 0x929219c9 abort_report_np + 0 5 libstdc++.6.dylib 0x900a0fda __gnu_cxx::__verbose_terminate_handler() + 433 6 libstdc++.6.dylib 0x9009f17a __cxxabiv1::__terminate(void (*)()) + 10 7 libstdc++.6.dylib 0x9009f1ba __cxxabiv1::__unexpected(void (*)()) + 0 8 libstdc++.6.dylib 0x9009f2b8 __gxx_exception_cleanup(_Unwind_Reason_Code, _Unwind_Exception*) + 0 9 libstdc++.6.dylib 0x9005b856 std::__throw_logic_error(char const*) + 158 10 libstdc++.6.dylib 0x90086ced char* std::string::_S_construct<char const*>(char const*, char const*, std::allocator<char> const&, std::forward_iterator_tag) + 57 11 libstdc++.6.dylib 0x90086d85 std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, unsigned long, std::allocator<char> const&) + 37 12 DumpRenderTree 0x679d95a6 GURL::GURL(char const*, unsigned long, url_parse::Parsed const&, bool) + 136 13 DumpRenderTree 0x6734180b WebKit::WebURL::operator GURL() const + 147 (WebURL.h:132) 14 DumpRenderTree 0x69da1bbd void DispatchToMethod<TestShellWebBlobRegistryImpl, void (TestShellWebBlobRegistryImpl::*)(GURL const&), WebKit::WebURL>(TestShellWebBlobRegistryImpl*, void (TestShellWebBlobRegistryImpl::*)(GURL const&), Tuple1<WebKit::WebURL> const&) + 111 15 DumpRenderTree 0x69da1c4f RunnableMethod<TestShellWebBlobRegistryImpl, void (TestShellWebBlobRegistryImpl::*)(GURL const&), Tuple1<WebKit::WebURL> >::Run() + 85 16 DumpRenderTree 0x67a53162 (anonymous namespace)::TaskClosureAdapter::Run() + 58 17 DumpRenderTree 0x67a53834 base::internal::Invoker1<false, base::internal::InvokerStorage1<void ((anonymous namespace)::TaskClosureAdapter::*)(), (anonymous namespace)::TaskClosureAdapter*>, void ((anonymous namespace)::TaskClosureAdapter::*)()>::DoInvoke(base::internal::InvokerStorageBase*) + 122 18 DumpRenderTree 0x67a58b2c base::Callback<void ()()>::Run() const + 62 19 DumpRenderTree 0x67a54d65 MessageLoop::RunTask(MessageLoop::PendingTask const&) + 413 20 DumpRenderTree 0x67a54ef9 MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 85 21 DumpRenderTree 0x67a55235 MessageLoop::DoWork() + 271 22 DumpRenderTree 0x679f7a9b base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) + 339 23 DumpRenderTree 0x67a564bb MessageLoop::RunInternal() + 245 24 DumpRenderTree 0x67a56505 MessageLoop::RunHandler() + 45 25 DumpRenderTree 0x67a565d1 MessageLoop::Run() + 63 26 DumpRenderTree 0x67acaf75 base::Thread::Run(MessageLoop*) + 51 27 DumpRenderTree 0x67acadd5 base::Thread::ThreadMain() + 337 28 DumpRenderTree 0x67acaad9 base::(anonymous namespace)::ThreadFunc(void*) + 103 29 libSystem.B.dylib 0x928457fd _pthread_start + 345 30 libSystem.B.dylib 0x92845682 thread_start + 34

r91332 was rolled out in bug 64925. Here is a crash log from Safari Mac (with WebKit built using --debug) when running LayoutTests/css3/images/optimize-contrast-canvas.html: ASSERTION FAILED: !useLowQualityScale /Volumes/development/src/chromium-webkit/src/third_party/WebKit/Source/WebCore/platform/graphics/cg/ImageBufferCG.cpp(216) : void WebCore::ImageBuffer::draw(WebCore::GraphicsContext*, WebCore::ColorSpace, const WebCore::FloatRect&, const WebCore::FloatRect&, WebCore::CompositeOperator, bool) 1 WebCore::ImageBuffer::draw(WebCore::GraphicsContext*, WebCore::ColorSpace, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, bool) 2 WebCore::GraphicsContext::drawImageBuffer(WebCore::ImageBuffer*, WebCore::ColorSpace, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, bool) 3 WebCore::GraphicsContext::drawImageBuffer(WebCore::ImageBuffer*, WebCore::ColorSpace, WebCore::IntRect const&, WebCore::IntRect const&, WebCore::CompositeOperator, bool) 4 WebCore::GraphicsContext::drawImageBuffer(WebCore::ImageBuffer*, WebCore::ColorSpace, WebCore::IntRect const&, WebCore::CompositeOperator, bool) 5 WebCore::HTMLCanvasElement::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, bool) 6 WebCore::RenderHTMLCanvas::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) 7 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) 8 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 9 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 10 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 11 WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 12 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) 13 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*) 14 WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) 15 -[WebFrame(WebInternal) _drawRect:contentsOnly:] 16 -[WebHTMLView drawSingleRect:] 17 -[WebHTMLView drawRect:] 18 -[NSView _drawRect:clip:] 19 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 20 -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] 21 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 22 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 23 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 24 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 25 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 26 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] 27 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] 28 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] 29 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] 30 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] 31 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:]

It's also failing assertions on SnowLeopard and timing out on Windows. http://build.webkit.org/results/Windows%20XP%20Debug%20(Tests)/r91332%20(30794)/results.html http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r91332%20(18159)/css3/images/optimize-contrast-canvas-crash-log.txt

<rdar://problem/9815912>

The r91332 was rolled out in http://trac.webkit.org/changeset/91446/.