This bug maybe arose between r116279 and r118267. Heap::markRoots can call indirectly Heap::markRoots again. It is why CRASH() can be fired in Heap::markRoots's following code. if (m_operationInProgress != NoOperation) CRASH(); I attached an example callstack. JSC::Heap::markRoots() at Heap.cpp:428 0x7ffff5a2fe79 JSC::Heap::collect() at Heap.cpp:683 0x7ffff5a307b5 JSC::CopiedSpace::getFreshBlock() at CopiedSpace.cpp:240 0x7ffff5a25944 JSC::CopiedSpace::addNewBlock() at CopiedSpaceInlineMethods.h:107 0x7ffff5a26859 JSC::CopiedSpace::doneCopying() at CopiedSpace.cpp:226 0x7ffff5a257ed JSC::Heap::markRoots() at Heap.cpp:588 0x7ffff5a303ae JSC::Heap::collect() at Heap.cpp:683 0x7ffff5a307b5 JSC::Heap::reportExtraMemoryCostSlowCase() at Heap.cpp:305 0x7ffff5a2f5f6 JSC::Heap::reportExtraMemoryCost() at Heap.h:322 0x7ffff463ffb3 WebCore::HTMLImageLoader::notifyFinished() at HTMLImageLoader.cpp:86 0x7ffff4afa6bd I tested " http://www.dorothybrowser.com/test/webkitTest/imgdecode/bgimage-png/test.html " using WebKitQt. If you go into the site and push a back button and push a go button, you can encounter CRASH(). I don't know JSC' GC, so I want for JSC experts to fix it.