If either the m_constructor or m_prototype (but not both) is collected, we will call allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one that was collected, but at the end of the method we call release on both of them. This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool.
Created attachment 194111 [details] Patch
<rdar://problem/13465627>
Comment on attachment 194111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=194111&action=review r=me > Source/JavaScriptCore/ChangeLog:15 > + (createObjectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method, "create" is a term of art for returning a +1 retained object. Since you're changing this function to return an autoreleased object, you should rename it to "objectWithCustomBrand".
Committed r146392: <http://trac.webkit.org/changeset/146392>