@ap filed in webkit land-
https://bugs.webkit.org/show_bug.cgi?id=46222
@ap got a checkConsistency() assertion failure with cross_fuzz. This likely means an exploitable security issue, as he has seen in the past.
#0 0x1024820e9 in WTF::ValueCheck<WebCore::AtomicStringImpl*>::checkConsistency at ValueCheck.h:45
#1 0x102602c65 in WTF::HashTable<WebCore::AtomicStringImpl*, std::pair<WebCore::AtomicStringImpl*, WebCore::Element*>, WTF::PairFirstExtractor<std::pair<WebCore::AtomicStringImpl*, WebCore::Element*> >, WTF::PtrHash<WebCore::AtomicStringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::AtomicStringImpl*>, WTF::HashTraits<WebCore::Element*> >, WTF::HashTraits<WebCore::AtomicStringImpl*> >::checkTableConsistencyExceptSize at HashTable.h:1025
#2 0x102602dd1 in WTF::HashTable<WebCore::AtomicStringImpl*, std::pair<WebCore::AtomicStringImpl*, WebCore::Element*>, WTF::PairFirstExtractor<std::pair<WebCore::AtomicStringImpl*, WebCore::Element*> >, WTF::PtrHash<WebCore::AtomicStringImpl*>, WTF::PairHashTraits<WTF::HashTraits<WebCore::AtomicStringImpl*>, WTF::HashTraits<WebCore::Element*> >, WTF::HashTraits<WebCore::AtomicStringImpl*> >::checkTableConsistency at HashTable.h:998
#3 0x102602e85 in WTF::HashMap<WebCore::AtomicStringImpl*, WebCore::Element*, WTF::PtrHash<WebCore::AtomicStringImpl*>, WTF::HashTraits<WebCore::AtomicStringImpl*>, WTF::HashTraits<WebCore::Element*> >::checkConsistency at HashMap.h:319
#4 0x1025da6f6 in WebCore::Document::getElementById at Document.cpp:909
#5 0x1025da8d2 in WebCore::Document::findAnchor at Document.cpp:4849
#6 0x102737f5f in WebCore::FrameView::scrollToAnchor at FrameView.cpp:970
#7 0x1027382b8 in WebCore::FrameView::scrollToFragment at FrameView.cpp:949
#8 0x102724a2e in WebCore::FrameLoader::loadInSameDocument at FrameLoader.cpp:1657
#9 0x102724cd4 in WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy at FrameLoader.cpp:3337
#10 0x102724d0c in WebCore::FrameLoader::callContinueFragmentScrollAfterNavigationPolicy at FrameLoader.cpp:3326
#11 0x102b78d63 in WebCore::PolicyCallback::call at PolicyCallback.cpp:101
#12 0x102b798b3 in WebCore::PolicyChecker::continueAfterNavigationPolicy at PolicyChecker.cpp:160
#13 0x101ea63db in WebFrameLoaderClient::receivedPolicyDecison at WebFrameLoaderClient.mm:1271
#14 0x101ea6470 in -[WebFramePolicyListener receivedPolicyDecision:] at WebFrameLoaderClient.mm:1864
...
Comment 1 by infe...@chromium.org, Sep 22 2010