The backtraces all seem pretty different to keep things interesting. I tried a run with cluster-fuzz but it announced it un-reproducible.
Tried with libgmalloc (MAC) with --repeat-each 100, the testcases does not crash. Sometimes, it is the case, that the previous test that run before it, is causing the crash. Also, tried with ClusterFuzz on Linux with DRT, it didnt reproduce. Here is the crash stack from the url above base::debug::StackTrace::StackTrace() [0x82ad2ac] base::(anonymous namespace)::StackDumpSignalHandler() [0x8293e1d] 0xb7799400 WebCore::Frame::addDestructionObserver() [0x8adc56c] WebCore::FrameDestructionObserver::observeFrame() [0x8ade946] WebCore::DOMWindow::DOMWindow() [0x8ac02f5] WebCore::Frame::domWindow() [0x8addc72] WebCore::DOMWindowProperty::~DOMWindowProperty() [0x8ac5fc9] WebCore::DOMWindowNotifications::~DOMWindowNotifications() [0x960d994] WebCore::DOMWindow::~DOMWindow() [0x8ac3913] WebCore::V8DOMWindow::derefObject() [0x8e44465] WebCore::DOMData::derefObject() [0x8b52cb2] WebCore::DOMData::handleWeakObject<>() [0x8b52f99] WebCore::DOMDataStore::weakDOMObjectCallback() [0x8b53020] v8::internal::GlobalHandles::PostGarbageCollectionProcessing() [0x842815b] None
Here's a few of the tests leading up to one of the crashes. I should note that fast/dom/prototype-inheritance-2.html crashes on my machine (Mac 10.6 Debug) every other run when ran independently. It doesn't have a problem on cluster-fuzz though... even with location.reload() fast/dom/null-document-location-assign-crash.html passed fast/dom/null-document-location-href-put-crash.html passed fast/dom/null-document-location-put-crash.html passed fast/dom/null-document-location-replace-crash.html passed fast/dom/null-document-window-open-crash.html passed fast/dom/null-page-show-modal-dialog-crash.html passed fast/dom/objc-big-method-name.html passed fast/dom/object-plugin-hides-properties.html passed fast/dom/offset-parent-positioned-and-inline.html passed fast/dom/offset-position-writing-modes.html passed fast/dom/onerror-img.html passed fast/dom/onload-open.html passed fast/dom/option-properties.html passed fast/dom/option-text-mutation-crash.html passed fast/dom/outerText-no-element.html passed fast/dom/outerText.html passed fast/dom/ping-attribute-dom-binding.html passed fast/dom/plugin-attributes-enumeration.html passed fast/dom/prefixed-image-tag.xhtml passed fast/dom/processing-instruction-appendChild-exceptions.xhtml passed fast/dom/prototype-chain.html passed fast/dom/prototype-inheritance-2.html failed: Text diff mismatch fast/dom/prototype-inheritance.html passed fast/dom/prototype-property.html passed fast/dom/prototypes.html passed fast/dom/register-protocol-handler.html passed fast/dom/remove-body-during-body-replacement2.html crashed
+haraken, who worked on DOMWindowNotifications recently.
I see the problem. My fault.
(In reply to comment #4) > I see the problem. My fault. That first sentence is music to my ears :)
(In reply to comment #5) > (In reply to comment #4) > > I see the problem. My fault. > > That first sentence is music to my ears :) (In reply to comment #4) > I see the problem. My fault. Does the bug need security flags ? is it a use after free ?
> Does the bug need security flags ? is it a use after free ? I'm not sure yet.
Created attachment 132358 [details] needs changelog
Yes. It's a use-after-free, but the bug was introduced only 8 hours ago.
Created attachment 132370 [details] Patch
Comment on attachment 132370 [details] Patch Clearing flags on attachment: 132370 Committed r111086: <http://trac.webkit.org/changeset/111086>
All reviewed patches have been landed. Closing bug.
Reverted r111086 for reason: Chromium crash Committed r111140: <http://trac.webkit.org/changeset/111140>
> Chromium crash What crashes?
BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes.
(In reply to comment #15) > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches.
(In reply to comment #16) > (In reply to comment #15) > > BTW, this patch is "correct" in the sense that we need to call the base class here. There might be other things we need to change if this causes other crashes. > > Adam: This one https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox/1362401bf41e9c9e > > I could not fix the crash in hours, and since it is marked as a release-block bug, I rolled out suspicious patches. Can you provide a link that isn't to an email in your gmail ;)
(In reply to comment #17) > Can you provide a link that isn't to an email in your gmail ;) Oops, this one:) http://code.google.com/p/chromium/issues/detail?id=118796
This should be fixed now since we rolled out the cause of the problem. Please re-open if that's not correct.
<rdar://problem/11091337>