Bug 105932

http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138620%20(4245)/http/tests/inspector/resource-har-pages-crash-log.txt Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000109c49000-0000000109ce5000 [ 624K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: CRASHING TEST: /inspector/resource-har-pages.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010c97f78c WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 620 (RenderLayer.cpp:726) 1 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 2 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 3 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 4 com.apple.WebCore 0x000000010c97fa05 WebCore::RenderLayer::updateLayerPositionsAfterOverflowScroll() + 165 (RenderLayer.cpp:689) 5 com.apple.WebCore 0x000000010c985289 WebCore::RenderLayer::scrollTo(int, int) + 505 (RenderLayer.cpp:2017) 6 com.apple.WebCore 0x000000010c987cae WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) + 62 (RenderLayer.cpp:2355) 7 com.apple.WebCore 0x000000010cbd4a90 WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) + 96 (ScrollableArea.cpp:156) 8 com.apple.WebCore 0x000000010cbd4d81 WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) + 81 (ScrollableArea.cpp:200) 9 com.apple.WebCore 0x000000010cbd72cb WebCore::ScrollAnimator::notifyPositionChanged() + 59 (ScrollAnimator.cpp:145) 10 com.apple.WebCore 0x000000010cbdb639 WebCore::ScrollAnimatorMac::notifyPositionChanged() + 41 (ScrollAnimatorMac.mm:741) 11 com.apple.WebCore 0x000000010cbdb182 WebCore::ScrollAnimatorMac::immediateScrollTo(WebCore::FloatPoint const&) + 210 (ScrollAnimatorMac.mm:720) 12 com.apple.WebCore 0x000000010cbdb0a3 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 67 (ScrollAnimatorMac.mm:696) 13 com.apple.WebCore 0x000000010cbd48dc WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 60 (ScrollableArea.cpp:130) 14 com.apple.WebCore 0x000000010c984b35 WebCore::RenderLayer::scrollToOffset(WebCore::IntSize const&, WebCore::RenderLayer::ScrollOffsetClamping) + 197 (RenderLayer.cpp:1979) 15 com.apple.WebCore 0x000000010c8fd4dd WebCore::RenderLayer::scrollToYOffset(int, WebCore::RenderLayer::ScrollOffsetClamping) + 61 (RenderLayer.h:333) 16 com.apple.WebCore 0x000000010c8e329b WebCore::RenderBox::setScrollTop(int) + 75 (RenderBox.cpp:435) 17 com.apple.WebCore 0x000000010bbf08e3 WebCore::Element::setScrollTop(int) + 147 (Element.cpp:556) 18 com.apple.WebCore 0x000000010c237b4d WebCore::setJSElementScrollTop(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 93 (JSElement.cpp:1229) 19 com.apple.WebCore 0x000000010c241699 bool JSC::lookupPut<WebCore::JSElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSElement*, bool) + 249 (Lookup.h:373) 20 com.apple.WebCore 0x000000010c2400b8 void JSC::lookupPut<WebCore::JSElement, WebCore::JSNode>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSElement*, JSC::PutPropertySlot&) + 120 (Lookup.h:389) 21 com.apple.WebCore 0x000000010c234937 WebCore::JSElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSElement.cpp:1212) 22 com.apple.WebCore 0x000000010c2bd89c void JSC::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, JSC::PutPropertySlot&) + 172 (Lookup.h:391) 23 com.apple.WebCore 0x000000010c2baab7 WebCore::JSHTMLElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSHTMLElement.cpp:446) 24 com.apple.WebCore 0x000000010c2b418c void JSC::lookupPut<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLDivElement*, JSC::PutPropertySlot&) + 172 (Lookup.h:391) 25 com.apple.WebCore 0x000000010c2b3217 WebCore::JSHTMLDivElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSHTMLDivElement.cpp:144) 26 com.apple.JavaScriptCore 0x000000010a04a319 JSC::JSValue::put(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 185 (JSObject.h:1523) 27 com.apple.JavaScriptCore 0x000000010a2f29f0 llint_slow_path_put_by_id + 416 (LLIntSlowPaths.cpp:981) 28 com.apple.JavaScriptCore 0x000000010a2fb977 llint_op_put_by_id + 155 29 com.apple.JavaScriptCore 0x000000010a0fbb74 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:134) 30 com.apple.JavaScriptCore 0x000000010a0f8def JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1519 (Interpreter.cpp:1055) 31 com.apple.JavaScriptCore 0x0000000109f74e32 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:39) 32 com.apple.JavaScriptCore 0x000000010a150407 JSC::boundFunctionCall(JSC::ExecState*) + 647 (JSBoundFunction.cpp:53) 33 com.apple.JavaScriptCore 0x000000010a0f8e19 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1561 (Interpreter.cpp:1058) 34 com.apple.JavaScriptCore 0x0000000109f74e32 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:39) 35 com.apple.WebCore 0x000000010c1186e2 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56) 36 com.apple.WebCore 0x000000010cb92baf WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 559 (ScheduledAction.cpp:112) 37 com.apple.WebCore 0x000000010cb92773 WebCore::ScheduledAction::execute(WebCore::Document*) + 323 (ScheduledAction.cpp:134) 38 com.apple.WebCore 0x000000010cb925b4 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) + 116 (ScheduledAction.cpp:80) 39 com.apple.WebCore 0x000000010bb8110a WebCore::DOMTimer::fired() + 538 (DOMTimer.cpp:139) 40 com.apple.WebCore 0x000000010cf248e6 WebCore::ThreadTimers::sharedTimerFiredInternal() + 294 (ThreadTimers.cpp:119) 41 com.apple.WebCore 0x000000010cf24679 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 42 com.apple.WebCore 0x000000010cc53343 WebCore::timerFired(__CFRunLoopTimer*, void*) + 67 (SharedTimerMac.mm:167) 43 com.apple.CoreFoundation 0x00007fff8a050da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 44 com.apple.CoreFoundation 0x00007fff8a0508bd __CFRunLoopDoTimer + 557 45 com.apple.CoreFoundation 0x00007fff8a036099 __CFRunLoopRun + 1513 46 com.apple.CoreFoundation 0x00007fff8a0356b2 CFRunLoopRunSpecific + 290 47 com.apple.Foundation 0x00007fff8702389e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 48 DumpRenderTree 0x0000000109c60839 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 5017 (DumpRenderTree.mm:1381) 49 DumpRenderTree 0x0000000109c5f42a runTestingServerLoop() + 282 (DumpRenderTree.mm:846) 50 DumpRenderTree 0x0000000109c5ecf7 dumpRenderTree(int, char const**) + 391 (DumpRenderTree.mm:893) 51 DumpRenderTree 0x0000000109c61029 main + 105 (DumpRenderTree.mm:931) 52 libdyld.dylib 0x00007fff89ebe7e1 start + 1 Also see webkit.org/b/92279 and webkit.org/b/85615