159588 2016-07-08 16:54:23 -0700 ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *) 2016-07-08 17:25:08 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff commit-queue fpizlo ggaren keith_miller mark.lam saam oldest_to_newest 1209333 0 msaboff 2016-07-08 16:54:23 -0700 Here is the stack trace from within the debugger: (lldb) btjs * thread #1: tid = 0x1ca2eee, 0x00000001086ca294, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre\320 1 frame #0: 0x00000001086ca294 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323 frame #1: 0x00000001084f58d0 JavaScriptCore`JSC::SlotVisitor::appendToMarkStack(this=0x0000000104ff5498, cell=0x0000000106877490) + 80 at SlotVisitor.cpp:176 frame #2: 0x0000000107f9e45b JavaScriptCore`JSC::Heap::addToRememberedSet(this=0x0000000104ff1018, cell=0x0000000106877490) + 251 at Heap.cpp:1085 frame #3: 0x00000001077ebced JavaScriptCore`JSC::Heap::writeBarrier(this=0x0000000104ff1018, from=0x0000000106877490) + 237 at HeapInlines.h:121 frame #4: 0x0000000107e7cfc0 JavaScriptCore`JSC::ScriptExecutable::installCode(this=0x0000000106877490, vm=0x0000000104ff1000, genericCodeBlock=0x000000010686b280, codeType=FunctionCode, kind=CodeForCall) + 1744 at Executable.cpp:266 frame #5: 0x000000010797d341 JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000106845e40, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007fff5b2564e8) + 1569 at CodeBlock.cpp:3481 frame #6: 0x00000001079a8682 JavaScriptCore`JSC::CodeBlockJettisoningWatchpoint::fireInternal(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 130 at CodeBlockJettisoningWatchpoint.cpp:40 frame #7: 0x00000001086796d2 JavaScriptCore`JSC::Watchpoint::fire(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 114 at Watchpoint.cpp:56 frame #8: 0x0000000108679d28 JavaScriptCore`JSC::WatchpointSet::fireAllWatchpoints(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 408 at Watchpoint.cpp:131 frame #9: 0x0000000108679b84 JavaScriptCore`JSC::WatchpointSet::fireAllSlow(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 116 at Watchpoint.cpp:92 frame #10: 0x00000001079037a0 JavaScriptCore`JSC::WatchpointSet::fireAll(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 80 at Watchpoint.h:160 frame #11: 0x000000010790373e JavaScriptCore`JSC::WatchpointSet::invalidate(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 62 at Watchpoint.h:186 frame #12: 0x0000000107fc502a JavaScriptCore`JSC::InlineWatchpointSet::invalidate(this=0x000000010683eae8, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 74 at Watchpoint.h:315 frame #13: 0x0000000107fc4d1b JavaScriptCore`JSC::InferredValue::invalidate(this=0x000000010683eae0, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 75 at InferredValue.h:94 frame #14: 0x0000000107fc4fd0 JavaScriptCore`JSC::InferredValue::ValueCleanup::finalizeUnconditionally(this=0x0000000104d1bed0) + 304 at InferredValue.cpp:128 frame #15: 0x00000001084f7448 JavaScriptCore`JSC::SlotVisitor::finalizeUnconditionalFinalizers(this=0x0000000104ff5498) + 88 at SlotVisitor.cpp:460 frame #16: 0x0000000107f9a9db JavaScriptCore`JSC::Heap::finalizeUnconditionalFinalizers(this=0x0000000104ff1018) + 43 at Heap.cpp:486 frame #17: 0x0000000107f9eba6 JavaScriptCore`JSC::Heap::collectImpl(this=0x0000000104ff1018, collectionType=FullCollection, stackOrigin=0x00007fff5b259000, stackTop=0x00007fff5b256718, calleeSavedRegisters=0x00007fff5b256730) [37]) + 1478 at Heap.cpp:1179 frame #18: 0x0000000107f9e59d JavaScriptCore`JSC::Heap::collect(this=0x0000000104ff1018, collectionType=FullCollection) + 141 at Heap.cpp:1107 frame #19: 0x0000000107f9e4c5 JavaScriptCore`JSC::Heap::collectAndSweep(this=0x0000000104ff1018, collectionType=FullCollection) + 53 at Heap.cpp:1093 frame #20: 0x00000001049aac0a jsc`JSC::Heap::collectAllGarbage(this=0x0000000104ff1018) + 26 at Heap.h:168 frame #21: 0x00000001049b50ed jsc`functionGCAndSweep(exec=0x00007fff5b256860) + 45 at jsc.cpp:1326 frame #22: 0x000044fcad601028 frame #23: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753 frame #24: 0x000044fcad628635 frame #25: 0x000044fcad61fdf1 frame #26: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753 frame #27: 0x00000001082f0e6e JavaScriptCore`vmEntryToJavaScript + 334 at LowLevelInterpreter64.asm:253 frame #28: 0x00000001080e7f77 JavaScriptCore`JSC::JITCode::execute(this=0x0000000104d979b0, vm=0x0000000104ff1000, protoCallFrame=0x00007fff5b256d18) + 215 at JITCode.cpp:80 frame #29: 0x00000001080754ce JavaScriptCore`JSC::Interpreter::execute(this=0x0000000104df20b0, program=0x000000010579ff70, callFrame=0x00000001057e3940, thisObj=0x00000001057aba40) + 4270 at Interpreter.cpp:961 frame #30: 0x0000000107a04d2d JavaScriptCore`JSC::evaluate(exec=0x00000001057e3940, source=0x00007fff5b258298, thisValue=JSValue @ 0x00007fff5b2581a0, returnedException=0x00007fff5b2582b8) + 477 at Completion.cpp:107 frame #31: 0x00000001049b2b31 jsc`runWithScripts(globalObject=0x00000001057e3900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1329 at jsc.cpp:2101 frame #32: 0x00000001049aa6ee jsc`runJSC(vm=0x0000000104ff1000, options=CommandLine @ 0x00007fff5b258828) + 1326 at jsc.cpp:2348 frame #33: 0x00000001049a94ba jsc`jscmain(argc=2, argv=0x00007fff5b258938) + 138 at jsc.cpp:2401 frame #34: 0x00000001049a9326 jsc`main(argc=2, argv=0x00007fff5b258938) + 166 at jsc.cpp:1983 frame #35: 0x00007fffdd7d4255 libdyld.dylib`start + 1 frame #36: 0x00007fffdd7d4255 libdyld.dylib`start + 1 1209334 1 msaboff 2016-07-08 16:54:53 -0700 <rdar://problem/27211757> 1209336 2 283226 msaboff 2016-07-08 17:00:53 -0700 Created attachment 283226 Patch 1209337 3 283226 ggaren 2016-07-08 17:02:26 -0700 Comment on attachment 283226 Patch r=me 1209345 4 283226 fpizlo 2016-07-08 17:13:58 -0700 Comment on attachment 283226 Patch Wow, that's incredible! R=me too! 1209355 5 283226 commit-queue 2016-07-08 17:25:04 -0700 Comment on attachment 283226 Patch Clearing flags on attachment: 283226 Committed r203012: <http://trac.webkit.org/changeset/203012> 1209356 6 commit-queue 2016-07-08 17:25:08 -0700 All reviewed patches have been landed. Closing bug. 283226 2016-07-08 17:00:53 -0700 2016-07-08 17:25:04 -0700 Patch 159588.patch text/plain 1879 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjAzMDA4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBA CisyMDE2LTA3LTA4ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEFTU0VSVElPTiBGQUlMRUQ6IEhlYXA6OmlzTWFya2VkKGNlbGwpIGluIFNsb3RWaXNpdG9y OjphcHBlbmRUb01hcmtTdGFjayhKU0M6OkpTQ2VsbCAqKQorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU5NTg4CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2Ugd2VyZSBqZXR0aXNvbmluZyBhIENvZGVCbG9j ayBkdXJpbmcgR0MgdGhhdCB3b24ndCBzdXJ2aXZlIGFuZCBpdHMgb3duaW5nIHNjcmlwdAorICAg ICAgICB3b24ndCBzdXJ2aXZlIGVpdGhlci4gIFdlIGNhbid0IGluc3RhbGwgYW55IGNvZGUgb24g dGhlIG93bmluZyBzY3JpcHQgYXMgdGhhdCBpbnZvbHZlcworICAgICAgICBhIHdyaXRlIGJhcnJp ZXIgdGhhdCB3aWxsICJwdWxsIiB0aGUgc2NyaXB0IGJhY2sgaW50byB0aGUgcmVtZW1iZXJlZCBz ZXQuICBCYWRuZXNzIHdvdWxkCisgICAgICAgIGVuc3VlLiAgQWRkZWQgYW4gZWFybHkgcmV0dXJu IGluIENvZGVCbG9jazo6amV0dGlzb24oKSB3aGVuIHdlIGFyZSBnYXJiYWdlIGNvbGxlY3RpbmcK KyAgICAgICAgYW5kIHRoZSBvd25pbmcgc2NyaXB0IGlzbid0IG1hcmtlZC4KKworICAgICAgICAq IGJ5dGVjb2RlL0NvZGVCbG9jay5jcHA6CisgICAgICAgIChKU0M6OkNvZGVCbG9jazo6amV0dGlz b24pOgorCiAyMDE2LTA3LTA4ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KIAogICAg ICAgICBNb3ZlIENhbGxGcmFtZSBoZWFkZXIgaW5mbyBmcm9tIEpTU3RhY2suaCB0byBDYWxsRnJh bWUuaApJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVjb2RlL0NvZGVCbG9jay5jcHAK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVjb2RlL0NvZGVCbG9jay5j cHAJKHJldmlzaW9uIDIwMzAwNikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9D b2RlQmxvY2suY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0zNDc3LDYgKzM0NzcsMTEgQEAgdm9pZCBD b2RlQmxvY2s6OmpldHRpc29uKFByb2ZpbGVyOjpKZXR0aQogICAgICAgICB0YWxseUZyZXF1ZW50 RXhpdFNpdGVzKCk7CiAjZW5kaWYgLy8gRU5BQkxFKERGR19KSVQpCiAKKyAgICAvLyBKZXR0aXNv biBjYW4gaGFwcGVuIGR1cmluZyBHQy4gV2UgZG9uJ3Qgd2FudCB0byBpbnN0YWxsIGNvZGUgdG8g YSBkZWFkIGV4ZWN1dGFibGUKKyAgICAvLyBiZWNhdXNlIHRoYXQgd291bGQgYWRkIGEgZGVhZCBv YmplY3QgdG8gdGhlIHJlbWVtYmVyZWQgc2V0LgorICAgIGlmIChtX3ZtLT5oZWFwLmlzQ29sbGVj dGluZygpICYmICFIZWFwOjppc01hcmtlZChvd25lclNjcmlwdEV4ZWN1dGFibGUoKSkpCisgICAg ICAgIHJldHVybjsKKwogICAgIC8vIFRoaXMgYWNjb21wbGlzaGVzICgyKS4KICAgICBvd25lclNj cmlwdEV4ZWN1dGFibGUoKS0+aW5zdGFsbENvZGUoCiAgICAgICAgIG1fZ2xvYmFsT2JqZWN0LT52 bSgpLCBhbHRlcm5hdGl2ZSgpLCBjb2RlVHlwZSgpLCBzcGVjaWFsaXphdGlvbktpbmQoKSk7Cg==