Attempting to inspect tvtv.de resulted in this assertion: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbbadbeef 0x02a63224 in WebCore::JSInspectedObjectWrapper::prepareIncomingValue (this=0x1afb9f80, value=0xb598a0) at /Volumes/Data/git/WebKit/OpenSource/WebCore/bindings/js/JSInspectedObjectWrapper.cpp:97 97 ASSERT_WITH_MESSAGE(wrapper->inherits(&JSInspectorCallbackWrapper::s_info), "A wrapper that was not from the inspected page and is not an Inspector callback was passed to a JSInspectedObjectWrapper"); (gdb) where #0 0x02a63224 in WebCore::JSInspectedObjectWrapper::prepareIncomingValue (this=0x1afb9f80, value=0xb598a0) at /Volumes/Data/git/WebKit/OpenSource/WebCore/bindings/js/JSInspectedObjectWrapper.cpp:97 #1 0x02a67681 in WebCore::JSQuarantinedObjectWrapper::callAsFunction (this=0x1afb9f80, exec=0xbfff98a4, thisObj=0xb598a0, args=@0xbfff8b28) at /Volumes/Data/git/WebKit/OpenSource/WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp:252 #2 0x004ef4de in KJS::Machine::privateExecute (this=0x540960, flag=KJS::Machine::Normal, exec=0xbfff98a4, registerFile=0x1abb7ce0, r=0x4c6f5b0, scopeChain=0x1a324ba0, codeBlock=0x1ab66660, exception=0xbfff995c) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:1792 #3 0x004f0e65 in KJS::Machine::execute (this=0x540960, functionBodyNode=0x1ab83640, exec=0xbfffa8b4, function=0x1a814240, thisObj=0xb598a0, args=@0xbfff99e0, registerFileStack=0x1ab5eb38, scopeChain=0x1a324ba0, exception=0xbfff995c) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:664 #4 0x0044a7ad in KJS::FunctionImp::callAsFunction (this=0x1a814240, exec=0xbfffa8b4, thisObj=0xb598a0, args=@0xbfff99e0) at function.cpp:95 #5 0x00462faf in KJS::JSObject::call (this=0x1a814240, exec=0xbfffa8b4, thisObj=0xb598a0, args=@0xbfff99e0) at object.cpp:99 #6 0x00464f96 in functionProtoFuncCall (exec=0xbfffa8b4, thisObj=0x1a814240, args=@0xbfff9b38) at function_object.cpp:125 #7 0x0043e872 in KJS::PrototypeFunction::callAsFunction (this=0x1a8132c0, exec=0xbfffa8b4, thisObj=0x1a814240, args=@0xbfff9b38) at function.cpp:747 #8 0x004ef4de in KJS::Machine::privateExecute (this=0x540960, flag=KJS::Machine::Normal, exec=0xbfffa8b4, registerFile=0x1abb7ce0, r=0x4c6f3e0, scopeChain=0x1a324ba0, codeBlock=0x1ab7ca00, exception=0xbfffa96c) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:1792 #9 0x004f0e65 in KJS::Machine::execute (this=0x540960, functionBodyNode=0x1ad21560, exec=0xbfffb8c4, function=0x1a81a7c0, thisObj=0xb216a0, args=@0xbfffaa00, registerFileStack=0x1ab5eb38, scopeChain=0x1a324ba0, exception=0xbfffa96c) at /Volumes/Data/git/WebKit/OpenSource/JavaScriptCore/VM/Machine.cpp:664
(not a merge blocker, i curse autocomplete :D )
This actually broke many exciting things however it's a marking issue in JSActivationObject
Created attachment 21208 [details] Patch to fix marking in an activation (This has been reviewed by maciej)
M JavaScriptCore/ChangeLog M JavaScriptCore/kjs/JSActivation.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/duplicate-param-gc-crash.html A LayoutTests/fast/js/resources/duplicate-param-gc-crash.js A LayoutTests/fast/js/resources/var-shadows-arg-gc-crash.js A LayoutTests/fast/js/var-shadows-arg-gc-crash.html Committed r33550