This crash is related to the YouTube5 Safari extension (http://www.verticalforest.com/youtube5-extension/, version 2.2.7). With that extension disabled, it doesn't crash. With the extension enabled, the Webkit Nightly Version 5.1.1 (7534.51.22, r100143) Safari Web Content process reproducibly crashes with EXC_BAD_ACCESS on 10.7.2 when visiting this URL: http://thenextweb.com/shareables/2011/11/09/absolutely-amazing-6th-grade-iphone-app-developer-speaks-at-tedx/ Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000000006fd VM Regions Near 0x6fd: --> __TEXT 0000000108ac6000-0000000108ac7000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.7/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: objc[55280]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001090baf85 JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*) + 6101 1 com.apple.JavaScriptCore 0x00000001090bba43 compileOSRExit + 259 2 ??? 0x0000502520cfe3b6 0 + 88120394507190 3 com.apple.JavaScriptCore 0x0000000108f5e118 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 3288 4 com.apple.JavaScriptCore 0x0000000108f17608 JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 328 5 com.apple.WebCore 0x0000000109aa71e3 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 419 6 com.apple.WebCore 0x0000000109aa7309 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 41 7 com.apple.WebCore 0x0000000109aae83b WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 155 8 com.apple.WebCore 0x0000000109aaeba6 WebCore::ScriptElement::execute(WebCore::CachedScript*) + 166 9 com.apple.WebCore 0x0000000109ab30b6 WebCore::ScriptRunner::timerFired(WebCore::Timer<WebCore::ScriptRunner>*) + 310
Created attachment 114995 [details] full crash log
<rdar://problem/10450443>
Created attachment 115259 [details] the patch This should do it. I was able to successfully watch that video of that kid with this patch and that extension.
Comment on attachment 115259 [details] the patch How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch.
(In reply to comment #4) > (From update of attachment 115259 [details]) > How does the heuristics stuff relate to the bug fix? Seems like it should be a separate patch. You're right! I'll separate that out.
Landed in http://trac.webkit.org/changeset/100363
*** Bug 72396 has been marked as a duplicate of this bug. ***
Build fix for !ENABLE(JIT) landed in http://trac.webkit.org/changeset/100518
Ooops! This "bugfix" forgot about 32_64.
Created attachment 115873 [details] the patch for 32_64
Landed 32_64 fix in http://trac.webkit.org/changeset/100820