155404 2016-03-12 19:33:09 -0800 http://kangax.github.io/compat-table/esnext/ crashes reliably 2020-04-15 09:23:37 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified OS X 10.11 RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=184629 InRadar, NeedsReduction P2 Critical --- 1 oliver mark.lam commit-queue fpizlo ggaren keith_miller mark.lam msaboff saam webkit-bug-importer oldest_to_newest 1174136 0 oliver 2016-03-12 19:33:09 -0800 Null deref, this is no a dev machine so I can't investigate further. Happens in the nightly from r198070. Process: com.apple.WebKit.WebContent.Development [6631] Path: /Volumes/VOLUME/WebKit.app/Contents/Frameworks/10-11/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Identifier: com.apple.WebKit.WebContent.Development Version: 602+ (602.1.23+) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: SafariForWebKitDevelopment [6578] User ID: 501 Date/Time: 2016-03-12 19:31:28.355 -0800 OS Version: Mac OS X 10.11.3 (15D21) Report Version: 11 Anonymous UUID: 1C46B275-63E4-0BB5-438C-B3E37CB8069F Time Awake Since Boot: 720000 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x5: --> __TEXT 0000000100163000-0000000100165000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/WebKit.app/Contents/Frameworks/10-11/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: Bundle controller class: BrowserBundleController Process Model: Multiple Web Processes Global Trace Buffer (reverse chronological seconds): 0.679758 CFNetwork 0x00007fff99d2bd29 Explicitly setting CF cookie storage singleton 0.679995 CFNetwork 0x00007fff99d62621 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010119053e JSC::JSObject::hasPropertyGeneric(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot::InternalMethodType) const + 2238 1 com.apple.JavaScriptCore 0x00000001012a896f JSC::toPropertyDescriptor(JSC::ExecState*, JSC::JSValue, JSC::PropertyDescriptor&) + 1471 2 com.apple.JavaScriptCore 0x00000001012a5aa0 JSC::objectConstructorDefineProperty(JSC::ExecState*) + 560 3 ??? 0x000050826fa01028 0 + 88521148731432 4 com.apple.JavaScriptCore 0x0000000101268a33 llint_entry + 23457 5 com.apple.JavaScriptCore 0x0000000101262caf vmEntryToJavaScript + 299 6 com.apple.JavaScriptCore 0x00000001010da9ae JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 7 com.apple.JavaScriptCore 0x000000010103a99f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447 8 com.apple.JavaScriptCore 0x0000000100c5846e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62 9 com.apple.JavaScriptCore 0x0000000100dd3d8d JSC::ProxyObject::performDefineOwnProperty(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) + 1485 10 com.apple.JavaScriptCore 0x00000001012ae70e JSC::objectProtoFuncDefineGetter(JSC::ExecState*) + 958 11 ??? 0x000050826fa01028 0 + 88521148731432 12 com.apple.JavaScriptCore 0x0000000101268a33 llint_entry + 23457 13 com.apple.JavaScriptCore 0x0000000101268a33 llint_entry + 23457 14 com.apple.JavaScriptCore 0x0000000101268a33 llint_entry + 23457 15 com.apple.JavaScriptCore 0x0000000101262caf vmEntryToJavaScript + 299 16 com.apple.JavaScriptCore 0x00000001010da9ae JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158 17 com.apple.JavaScriptCore 0x000000010103a6bb JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 16619 18 com.apple.JavaScriptCore 0x0000000100cb3651 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 593 19 com.apple.WebCore 0x0000000102615d65 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 309 20 com.apple.WebCore 0x0000000102615fb0 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 48 21 com.apple.WebCore 0x000000010261c072 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 562 22 com.apple.WebCore 0x000000010261aae5 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1061 23 com.apple.WebCore 0x0000000101db48f8 WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 344 24 com.apple.WebCore 0x0000000101db4750 WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 48 25 com.apple.WebCore 0x0000000101d4d44c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 316 26 com.apple.WebCore 0x0000000101d4d7fb WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 667 27 com.apple.WebCore 0x0000000101d4d093 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 115 28 com.apple.WebCore 0x0000000101d4e48e WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() + 350 29 com.apple.WebCore 0x0000000101d4e682 WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) + 82 30 com.apple.WebCore 0x00000001018ee3a9 WebCore::CachedResource::checkNotify() + 153 31 com.apple.WebCore 0x000000010276bdd1 WebCore::SubresourceLoader::didFinishLoading(double) + 1153 32 com.apple.WebKit 0x000000010038b660 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 460 33 com.apple.WebKit 0x0000000100197ba1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 34 com.apple.WebKit 0x000000010019a50a IPC::Connection::dispatchOneMessage() + 126 35 com.apple.JavaScriptCore 0x0000000101538a82 WTF::RunLoop::performWork() + 898 36 com.apple.JavaScriptCore 0x0000000101538c62 WTF::RunLoop::performWork(void*) + 34 37 com.apple.CoreFoundation 0x00007fff8eb6f5c1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 38 com.apple.CoreFoundation 0x00007fff8eb6141c __CFRunLoopDoSources0 + 556 39 com.apple.CoreFoundation 0x00007fff8eb6093f __CFRunLoopRun + 927 40 com.apple.CoreFoundation 0x00007fff8eb60338 CFRunLoopRunSpecific + 296 41 com.apple.HIToolbox 0x00007fff95f72935 RunCurrentEventLoopInMode + 235 42 com.apple.HIToolbox 0x00007fff95f7276f ReceiveNextEventCommon + 432 43 com.apple.HIToolbox 0x00007fff95f725af _BlockUntilNextEventMatchingListInModeWithFilter + 71 44 com.apple.AppKit 0x00007fff8bcfd0ee _DPSNextEvent + 1067 45 com.apple.AppKit 0x00007fff8c0c9943 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 46 com.apple.AppKit 0x00007fff8bcf2fc8 -[NSApplication run] + 682 47 com.apple.AppKit 0x00007fff8bc75520 NSApplicationMain + 1176 48 libxpc.dylib 0x00007fff9b84ff6c _xpc_objc_main + 793 49 libxpc.dylib 0x00007fff9b8516bb xpc_main + 494 50 com.apple.WebKit.WebContent.Development 0x00000001001647df main + 422 51 libdyld.dylib 0x00007fff96a3f5ad start + 1 Thread 1: 0 libsystem_kernel.dylib 0x00007fffa01136de __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff8cb6a729 _pthread_wqthread + 1283 2 libsystem_pthread.dylib 0x00007fff8cb68365 start_wqthread + 13 Thread 2:: Dispatch queue: com.apple.libdispatch-manager 0 libsystem_kernel.dylib 0x00007fffa0113ff6 kevent_qos + 10 1 libdispatch.dylib 0x00007fff8fcb5099 _dispatch_mgr_invoke + 216 2 libdispatch.dylib 0x00007fff8fcb4d01 _dispatch_mgr_thread + 52 Thread 3: 0 libsystem_kernel.dylib 0x00007fffa01136de __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff8cb6a729 _pthread_wqthread + 1283 2 libsystem_pthread.dylib 0x00007fff8cb68365 start_wqthread + 13 Thread 4: 0 libsystem_kernel.dylib 0x00007fffa01136de __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff8cb6a729 _pthread_wqthread + 1283 2 libsystem_pthread.dylib 0x00007fff8cb68365 start_wqthread + 13 Thread 5: 0 libsystem_kernel.dylib 0x00007fffa01136de __workq_kernreturn + 10 1 libsystem_pthread.dylib 0x00007fff8cb6a729 _pthread_wqthread + 1283 2 libsystem_pthread.dylib 0x00007fff8cb68365 start_wqthread + 13 Thread 6: Thread 7:: com.apple.NSEventThread 0 libsystem_kernel.dylib 0x00007fffa010d386 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffa010c7c7 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fff8eb60aec __CFRunLoopRun + 1356 4 com.apple.CoreFoundation 0x00007fff8eb60338 CFRunLoopRunSpecific + 296 5 com.apple.AppKit 0x00007fff8bdbc065 _NSEventThread + 149 6 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 7 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 8 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 8:: com.apple.NSURLConnectionLoader 0 libsystem_kernel.dylib 0x00007fffa010d386 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffa010c7c7 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fff8eb60aec __CFRunLoopRun + 1356 4 com.apple.CoreFoundation 0x00007fff8eb60338 CFRunLoopRunSpecific + 296 5 com.apple.CFNetwork 0x00007fff99b656e9 +[NSURLConnection(Loader) _resourceLoadLoop:] + 412 6 com.apple.Foundation 0x00007fff958d4c6f __NSThread__start__ + 1351 7 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 8 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 9 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 9: 0 libsystem_kernel.dylib 0x00007fffa0113206 __semwait_signal + 10 1 libsystem_c.dylib 0x00007fff8ce16d17 nanosleep + 199 2 libc++.1.dylib 0x00007fff9a817020 std::__1::this_thread::sleep_for(std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > const&) + 75 3 com.apple.JavaScriptCore 0x00000001015578cb bmalloc::Heap::scavenge(std::__1::unique_lock<bmalloc::StaticMutex>&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >) + 155 4 com.apple.JavaScriptCore 0x0000000101557804 bmalloc::Heap::concurrentScavenge() + 68 5 com.apple.JavaScriptCore 0x000000010155940a bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>::threadRunLoop() + 90 6 com.apple.JavaScriptCore 0x000000010155962d void* std::__1::__thread_proxy<std::__1::tuple<void (*)(bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*), bmalloc::AsyncTask<bmalloc::Heap, void (bmalloc::Heap::*)()>*> >(void*) + 93 7 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 8 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 9 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 10:: WebCore: Scrolling 0 libsystem_kernel.dylib 0x00007fffa010d386 mach_msg_trap + 10 1 libsystem_kernel.dylib 0x00007fffa010c7c7 mach_msg + 55 2 com.apple.CoreFoundation 0x00007fff8eb61624 __CFRunLoopServiceMachPort + 212 3 com.apple.CoreFoundation 0x00007fff8eb60aec __CFRunLoopRun + 1356 4 com.apple.CoreFoundation 0x00007fff8eb60338 CFRunLoopRunSpecific + 296 5 com.apple.CoreFoundation 0x00007fff8ec231f1 CFRunLoopRun + 97 6 com.apple.WebCore 0x0000000102638d5d WebCore::ScrollingThread::initializeRunLoop() + 253 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 11:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 12:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 13:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 14:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 15:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 16:: WTF Parallel Helper Thread 0 libsystem_kernel.dylib 0x00007fffa0112eb2 __psynch_cvwait + 10 1 libsystem_pthread.dylib 0x00007fff8cb6b150 _pthread_cond_wait + 767 2 libc++.1.dylib 0x00007fff9a7d868f std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&) + 47 3 com.apple.JavaScriptCore 0x0000000101536e3e WTF::ParkingLot::parkConditionally(void const*, std::__1::function<bool ()>, std::__1::function<void ()>, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 2494 4 com.apple.JavaScriptCore 0x0000000100eed0fa bool WTF::ConditionBase::waitUntil<WTF::Lock>(WTF::Lock&, std::__1::chrono::time_point<std::__1::chrono::steady_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000000l> > >) + 154 5 com.apple.JavaScriptCore 0x0000000101536253 WTF::ParallelHelperPool::waitForClientWithTask(WTF::Locker<WTF::LockBase> const&) + 291 6 com.apple.JavaScriptCore 0x0000000101536013 WTF::ParallelHelperPool::helperThreadBody() + 83 7 com.apple.JavaScriptCore 0x0000000101548cd2 WTF::threadEntryPoint(void*) + 178 8 com.apple.JavaScriptCore 0x00000001015490ef WTF::wtfThreadEntryPoint(void*) + 15 9 libsystem_pthread.dylib 0x00007fff8cb6ac13 _pthread_body + 131 10 libsystem_pthread.dylib 0x00007fff8cb6ab90 _pthread_start + 168 11 libsystem_pthread.dylib 0x00007fff8cb68375 thread_start + 13 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000107a5ad58 rbx: 0x0000000000000001 rcx: 0x0000000023a41e65 rdx: 0x0000000000000000 rdi: 0x0000000000000010 rsi: 0x00000001083b6ea0 rbp: 0x00007fff5fa99800 rsp: 0x00007fff5fa99770 r8: 0x00000001083b6ee0 r9: 0x0000000000000000 r10: 0x000000000000000f r11: 0xffff000000000002 r12: 0x0000000107a5ad40 r13: 0x0000000108231080 r14: 0x0000000000000000 r15: 0x0000000107bb2120 rip: 0x000000010119053e rfl: 0x0000000000010246 cr2: 0x0000000000000005 Logical CPU: 6 Error Code: 0x00000004 Trap Number: 14 1174147 1 webkit-bug-importer 2016-03-12 22:05:11 -0800 <rdar://problem/25131391> 1174148 2 mark.lam 2016-03-12 22:10:50 -0800 Here's a more descriptive crash trace using a debug build: ASSERTION FAILED: descriptor.setter() /Volumes/Data/ws4/OpenSource/Source/JavaScriptCore/runtime/ObjectConstructor.h(108) : JSC::JSObject *JSC::constructObjectFromPropertyDescriptor(JSC::ExecState *, const JSC::PropertyDescriptor &) 1 0x1056cae00 WTFCrash 2 0x104cd9bc3 JSC::constructObjectFromPropertyDescriptor(JSC::ExecState*, JSC::PropertyDescriptor const&) 3 0x104cd6f57 JSC::ProxyObject::performDefineOwnProperty(JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) 4 0x104cd2216 JSC::ProxyObject::defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) 5 0x105372381 JSC::objectProtoFuncDefineGetter(JSC::ExecState*) 6 0x4723a0201028 7 0x1052f7fc5 llint_entry The issue is that constructObjectFromPropertyDescriptor() is expecting that when the descriptor is an accessor, that both the getter and setter are defined. In this case, the getter is, but the setter is not. The crash comes from using the null setter in the descriptor. 1174155 3 273874 mark.lam 2016-03-12 23:23:08 -0800 Created attachment 273874 proposed patch. Currently running tests. 1174178 4 273874 ysuzuki 2016-03-13 04:22:06 -0700 Comment on attachment 273874 proposed patch. r=me 1174193 5 mark.lam 2016-03-13 08:47:58 -0700 Thanks for the review. Landed in r198080: <http://trac.webkit.org/r198080>. 273874 2016-03-12 23:23:08 -0800 2016-03-13 04:22:06 -0700 proposed patch. bug-155404.patch text/plain 4936 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk4MDc4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI0IEBA CisyMDE2LTAzLTEyICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBo dHRwOi8va2FuZ2F4LmdpdGh1Yi5pby9jb21wYXQtdGFibGUvZXNuZXh0LyBjcmFzaGVzIHJlbGlh Ymx5LgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU1 NDA0CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgY29u c3RydWN0T2JqZWN0RnJvbVByb3BlcnR5RGVzY3JpcHRvcigpIHdhcyBpbmNvcnJlY3RseSBhc3N1 bWluZyB0aGF0IGVpdGhlcgorICAgICAgICBib3RoIGdldHRlciBhbmQgc2V0dGVyIHdpbGwgYmUg c2V0IG9yIHVuc2V0LiAgSXQgZGlkIG5vdCBjb25zaWRlciB0aGF0IG9ubHkgb25lCisgICAgICAg IG9mIHRoZSBnZXR0ZXIgb3Igc2V0dGVyIG1heSBiZSBzZXQuICBUaGlzIHBhdGNoIGZpeGVzIHRo YXQuCisKKyAgICAgICAgKiBydW50aW1lL09iamVjdENvbnN0cnVjdG9yLmg6CisgICAgICAgIChK U0M6OmNvbnN0cnVjdE9iamVjdEZyb21Qcm9wZXJ0eURlc2NyaXB0b3IpOgorICAgICAgICAqIHRl c3RzL3N0cmVzcy9wcm94eS13aXRoLXVuYmFsYW5jZWQtZ2V0dGVyLXNldHRlci5qczogQWRkZWQu CisgICAgICAgIChhc3NlcnQpOgorICAgICAgICAobGV0LmhhbmRsZXIuZGVmaW5lUHJvcGVydHkp OgorICAgICAgICAoaS4pOgorICAgICAgICAoaS5hc3NlcnQpOgorICAgICAgICAoaS5nZXQgYXNz ZXJ0KToKKyAgICAgICAgKHNldCBhc3NlcnQpOgorCiAyMDE2LTAzLTEyICBCcmlhbiBCdXJnICA8 YmJ1cmdAYXBwbGUuY29tPgogCiAgICAgICAgIFdoZW4gZ2VuZXJhdGluZyBPYmplY3RpdmUtQyBw cm90b2NvbCB0eXBlcywgZ2V0dGVycyBmb3Igb2JqZWN0cyBuZWVkIHRvIHN5bnRoZXNpemUgYSBu ZXcgb2JqZWN0IGluc3RhbmNlCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9P YmplY3RDb25zdHJ1Y3Rvci5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL09iamVjdENvbnN0cnVjdG9yLmgJKHJldmlzaW9uIDE5ODA3OCkKKysrIFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9ydW50aW1lL09iamVjdENvbnN0cnVjdG9yLmgJKHdvcmtpbmcgY29weSkK QEAgLTEwNCwxMCArMTA0LDExIEBAIGlubGluZSBKU09iamVjdCogY29uc3RydWN0T2JqZWN0RnJv bVByb3AKICAgICAgICAgZGVzY3JpcHRpb24tPnB1dERpcmVjdCh2bSwgdm0ucHJvcGVydHlOYW1l cy0+dmFsdWUsIGRlc2NyaXB0b3IudmFsdWUoKSA/IGRlc2NyaXB0b3IudmFsdWUoKSA6IGpzVW5k ZWZpbmVkKCksIDApOwogICAgICAgICBkZXNjcmlwdGlvbi0+cHV0RGlyZWN0KHZtLCB2bS5wcm9w ZXJ0eU5hbWVzLT53cml0YWJsZSwganNCb29sZWFuKGRlc2NyaXB0b3Iud3JpdGFibGUoKSksIDAp OwogICAgIH0gZWxzZSB7Ci0gICAgICAgIEFTU0VSVChkZXNjcmlwdG9yLmdldHRlcigpKTsKLSAg ICAgICAgQVNTRVJUKGRlc2NyaXB0b3Iuc2V0dGVyKCkpOwotICAgICAgICBkZXNjcmlwdGlvbi0+ cHV0RGlyZWN0KHZtLCB2bS5wcm9wZXJ0eU5hbWVzLT5nZXQsIGRlc2NyaXB0b3IuZ2V0dGVyKCks IDApOwotICAgICAgICBkZXNjcmlwdGlvbi0+cHV0RGlyZWN0KHZtLCB2bS5wcm9wZXJ0eU5hbWVz LT5zZXQsIGRlc2NyaXB0b3Iuc2V0dGVyKCksIDApOworICAgICAgICBBU1NFUlQoZGVzY3JpcHRv ci5nZXR0ZXIoKSB8fCBkZXNjcmlwdG9yLnNldHRlcigpKTsKKyAgICAgICAgaWYgKGRlc2NyaXB0 b3IuZ2V0dGVyKCkpCisgICAgICAgICAgICBkZXNjcmlwdGlvbi0+cHV0RGlyZWN0KHZtLCB2bS5w cm9wZXJ0eU5hbWVzLT5nZXQsIGRlc2NyaXB0b3IuZ2V0dGVyKCksIDApOworICAgICAgICBpZiAo ZGVzY3JpcHRvci5zZXR0ZXIoKSkKKyAgICAgICAgICAgIGRlc2NyaXB0aW9uLT5wdXREaXJlY3Qo dm0sIHZtLnByb3BlcnR5TmFtZXMtPnNldCwgZGVzY3JpcHRvci5zZXR0ZXIoKSwgMCk7CiAgICAg fQogICAgIAogICAgIGRlc2NyaXB0aW9uLT5wdXREaXJlY3Qodm0sIHZtLnByb3BlcnR5TmFtZXMt PmVudW1lcmFibGUsIGpzQm9vbGVhbihkZXNjcmlwdG9yLmVudW1lcmFibGUoKSksIDApOwpJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9wcm94eS13aXRoLXVuYmFsYW5j ZWQtZ2V0dGVyLXNldHRlci5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUv dGVzdHMvc3RyZXNzL3Byb3h5LXdpdGgtdW5iYWxhbmNlZC1nZXR0ZXItc2V0dGVyLmpzCShyZXZp c2lvbiAwKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9wcm94eS13aXRo LXVuYmFsYW5jZWQtZ2V0dGVyLXNldHRlci5qcwkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDcw IEBACitmdW5jdGlvbiBhc3NlcnQoYikgeworICAgIGlmICghYikKKyAgICAgICAgdGhyb3cgbmV3 IEVycm9yKCJCYWQgYXNzZXJ0aW9uLiIpOworfQorCisvLyBTZXR0aW5nIHRoZSBnZXR0ZXIgb25s eS4gIAorKGZ1bmN0aW9uICgpIHsKKyAgICBsZXQgdGFyZ2V0ID0ge307CisgICAgbGV0IGNhbGxl ZCA9IGZhbHNlOworICAgIGxldCBoYW5kbGVyID0geworICAgICAgICBkZWZpbmVQcm9wZXJ0eTog ZnVuY3Rpb24odGhlVGFyZ2V0LCBwcm9wTmFtZSwgZGVzY3JpcHRvcikgeworICAgICAgICAgICAg Y2FsbGVkID0gdHJ1ZTsKKyAgICAgICAgICAgIHJldHVybiBSZWZsZWN0LmRlZmluZVByb3BlcnR5 KHRoZVRhcmdldCwgcHJvcE5hbWUsIGRlc2NyaXB0b3IpOworICAgICAgICB9CisgICAgfTsKKwor ICAgIGxldCBwcm94eSA9IG5ldyBQcm94eSh0YXJnZXQsIGhhbmRsZXIpOworICAgIGZvciAobGV0 IGkgPSAwOyBpIDwgNTAwOyBpKyspIHsKKyAgICAgICAgbGV0IHJlc3VsdCA9IFJlZmxlY3QuZGVm aW5lUHJvcGVydHkocHJveHksICJ4IiwgeworICAgICAgICAgICAgZW51bWVyYWJsZTogdHJ1ZSwK KyAgICAgICAgICAgIGNvbmZpZ3VyYWJsZTogdHJ1ZSwKKyAgICAgICAgICAgIGdldDogZnVuY3Rp b24oKXt9LAorICAgICAgICB9KTsKKyAgICAgICAgYXNzZXJ0KHJlc3VsdCk7CisgICAgICAgIGFz c2VydChjYWxsZWQpOworICAgICAgICBjYWxsZWQgPSBmYWxzZTsKKworICAgICAgICBmb3IgKGxl dCBvYmogb2YgW3RhcmdldCwgcHJveHldKSB7CisgICAgICAgICAgICBsZXQgcERlc2MgPSBPYmpl Y3QuZ2V0T3duUHJvcGVydHlEZXNjcmlwdG9yKG9iaiwgIngiKTsKKyAgICAgICAgICAgIGFzc2Vy dCh0eXBlb2YgcERlc2MuZ2V0ID09PSAiZnVuY3Rpb24iKTsKKyAgICAgICAgICAgIGFzc2VydCh0 eXBlb2YgcERlc2Muc2V0ID09PSAidW5kZWZpbmVkIik7CisgICAgICAgICAgICBhc3NlcnQocERl c2MuZ2V0LnRvU3RyaW5nKCkgPT09IChmdW5jdGlvbigpe30pLnRvU3RyaW5nKCkpOworICAgICAg ICAgICAgYXNzZXJ0KHBEZXNjLmNvbmZpZ3VyYWJsZSA9PT0gdHJ1ZSk7CisgICAgICAgICAgICBh c3NlcnQocERlc2MuZW51bWVyYWJsZSA9PT0gdHJ1ZSk7CisgICAgICAgIH0KKyAgICB9Cit9KSgp OworCisvLyBTZXR0aW5nIHRoZSBzZXR0ZXIgb25seS4gIAorKGZ1bmN0aW9uICgpIHsKKyAgICBs ZXQgdGFyZ2V0ID0ge307CisgICAgbGV0IGNhbGxlZCA9IGZhbHNlOworICAgIGxldCBoYW5kbGVy ID0geworICAgICAgICBkZWZpbmVQcm9wZXJ0eTogZnVuY3Rpb24odGhlVGFyZ2V0LCBwcm9wTmFt ZSwgZGVzY3JpcHRvcikgeworICAgICAgICAgICAgY2FsbGVkID0gdHJ1ZTsKKyAgICAgICAgICAg IHJldHVybiBSZWZsZWN0LmRlZmluZVByb3BlcnR5KHRoZVRhcmdldCwgcHJvcE5hbWUsIGRlc2Ny aXB0b3IpOworICAgICAgICB9CisgICAgfTsKKworICAgIGxldCBwcm94eSA9IG5ldyBQcm94eSh0 YXJnZXQsIGhhbmRsZXIpOworICAgIGZvciAobGV0IGkgPSAwOyBpIDwgNTAwOyBpKyspIHsKKyAg ICAgICAgbGV0IHJlc3VsdCA9IFJlZmxlY3QuZGVmaW5lUHJvcGVydHkocHJveHksICJ4Iiwgewor ICAgICAgICAgICAgZW51bWVyYWJsZTogdHJ1ZSwKKyAgICAgICAgICAgIGNvbmZpZ3VyYWJsZTog dHJ1ZSwKKyAgICAgICAgICAgIHNldDogZnVuY3Rpb24oeCl7fSwKKyAgICAgICAgfSk7CisgICAg ICAgIGFzc2VydChyZXN1bHQpOworICAgICAgICBhc3NlcnQoY2FsbGVkKTsKKyAgICAgICAgY2Fs bGVkID0gZmFsc2U7CisKKyAgICAgICAgZm9yIChsZXQgb2JqIG9mIFt0YXJnZXQsIHByb3h5XSkg eworICAgICAgICAgICAgbGV0IHBEZXNjID0gT2JqZWN0LmdldE93blByb3BlcnR5RGVzY3JpcHRv cihvYmosICJ4Iik7CisgICAgICAgICAgICBhc3NlcnQodHlwZW9mIHBEZXNjLmdldCA9PT0gInVu ZGVmaW5lZCIpOworICAgICAgICAgICAgYXNzZXJ0KHR5cGVvZiBwRGVzYy5zZXQgPT09ICJmdW5j dGlvbiIpOworICAgICAgICAgICAgYXNzZXJ0KHBEZXNjLnNldC50b1N0cmluZygpID09PSAoZnVu Y3Rpb24oeCl7fSkudG9TdHJpbmcoKSk7CisgICAgICAgICAgICBhc3NlcnQocERlc2MuY29uZmln dXJhYmxlID09PSB0cnVlKTsKKyAgICAgICAgICAgIGFzc2VydChwRGVzYy5lbnVtZXJhYmxlID09 PSB0cnVlKTsKKyAgICAgICAgfQorICAgIH0KK30pKCk7Cg==