Bug 141253

Summary: ASSERT(thisObject->m_propertyTableUnsafe) on a regression test
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: fpizlo, ggaren, kling, ryanhaddad
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Alexey Proskuryakov 2015-02-04 10:28:56 PST 
Saw this assertion on dom/html/level1/core/hc_nodeappendchildgetnodename.html today (this test didn't previously hit it):

0   com.apple.JavaScriptCore      	0x00000001144428da WTFCrash + 42 (Assertions.cpp:321)
1   com.apple.JavaScriptCore      	0x00000001143966ad JSC::Structure::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) + 509 (Structure.cpp:1005)
2   com.apple.JavaScriptCore      	0x0000000114374ed8 JSC::visitChildren(JSC::SlotVisitor&, JSC::JSCell const*) + 264 (SlotVisitor.cpp:105)
3   com.apple.JavaScriptCore      	0x0000000114374d39 JSC::SlotVisitor::drain() + 249 (SlotVisitor.cpp:145)
4   com.apple.JavaScriptCore      	0x0000000113fc66d2 JSC::SlotVisitor::donateAndDrain() + 34 (SlotVisitorInlines.h:235)
5   com.apple.JavaScriptCore      	0x0000000113fc0c82 JSC::Heap::visitConservativeRoots(JSC::ConservativeRoots&) + 114 (Heap.cpp:632)
6   com.apple.JavaScriptCore      	0x0000000113fc08bf JSC::Heap::markRoots(double) + 591 (Heap.cpp:526)
7   com.apple.JavaScriptCore      	0x0000000113fc264b JSC::Heap::collect(JSC::HeapOperation) + 1019 (Heap.cpp:1023)
8   com.apple.JavaScriptCore      	0x0000000113aeb517 JSC::Heap::collectIfNecessaryOrDefer() + 87 (HeapInlines.h:277)
9   com.apple.JavaScriptCore      	0x0000000113aeb442 JSC::Heap::decrementDeferralDepthAndGCIfNeeded() + 34 (HeapInlines.h:284)
10  com.apple.JavaScriptCore      	0x0000000113aeb418 JSC::DeferGC::~DeferGC() + 24 (DeferGC.h:47)

Full crash log: https://build.webkit.org/results/Apple%20Mavericks%20Debug%20WK2%20(Tests)/r179602%20(9274)/dom/html/level1/core/hc_nodeappendchildgetnodename-crash-log.txt
Comment 1 Alexey Proskuryakov 2016-11-15 12:30:40 PST 
This assertion is being removed in bug 162986.

*** This bug has been marked as a duplicate of bug 162986 ***