From <rdar://problem/19046388> 1. Get a spade build of Safari with open source release r176455 or later. 2. Open Safari and navigate to http://www.bobistheoilguy.com/castrol-edge-qa/ 3. You may need to scroll. RESULTS Crash. With a Debug build: ASSERTION FAILED: !m_vector.isEmpty() /Volumes/Data/src/webkit/Source/JavaScriptCore/runtime/IntendedStructureChain.cpp(143) : JSC::JSObject *JSC::IntendedStructureChain::terminalPrototype() const 1 0x10dea92b0 WTFCrash 2 0x10dadfe96 JSC::IntendedStructureChain::terminalPrototype() const 3 0x10de62c96 JSC::ComplexGetStatus::computeFor(JSC::CodeBlock*, JSC::Structure*, JSC::StructureChain*, unsigned int, WTF::StringImpl*) 4 0x10da286f9 JSC::GetByIdStatus::computeForStubInfo(JSC::ConcurrentJITLocker const&, JSC::CodeBlock*, JSC::StructureStubInfo*, WTF::StringImpl*, JSC::CallLinkStatus::ExitSiteData) 5 0x10da2799b JSC::GetByIdStatus::computeFor(JSC::CodeBlock*, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, unsigned int, WTF::StringImpl*) 6 0x10da29fbb JSC::GetByIdStatus::computeFor(JSC::CodeBlock*, JSC::CodeBlock*, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, WTF::HashMap<JSC::CodeOrigin, JSC::StructureStubInfo*, JSC::CodeOriginApproximateHash, WTF::HashTraits<JSC::CodeOrigin>, WTF::HashTraits<JSC::StructureStubInfo*> >&, JSC::CodeOrigin, WTF::StringImpl*) 7 0x10d6e8ed7 JSC::DFG::ByteCodeParser::parseBlock(unsigned int) 8 0x10d6e1629 JSC::DFG::ByteCodeParser::parseCodeBlock() 9 0x10d6ef97a JSC::DFG::ByteCodeParser::parse() 10 0x10d6efcae JSC::DFG::parse(JSC::DFG::Graph&) 11 0x10d887951 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 12 0x10d887566 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) 13 0x10d94a640 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) 14 0x10d948c34 JSC::DFG::Worklist::threadFunction(void*) 15 0x10defce69 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const 16 0x10defce3c std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()() 17 0x10ded207a std::__1::function<void ()>::operator()() const 18 0x10defbdbe WTF::threadEntryPoint(void*) 19 0x10defd7c8 WTF::wtfThreadEntryPoint(void*) 20 0x7fff8cede2fc _pthread_body 21 0x7fff8cede279 _pthread_body 22 0x7fff8cedc4b1 thread_start LEAK: 2 WebPageProxy LEAK: 2 WebContext
Created attachment 242113 [details] Patch
Committed r176506: <http://trac.webkit.org/changeset/176506>
*** Bug 138772 has been marked as a duplicate of this bug. ***
Comment on attachment 242113 [details] Patch Can you write a test for this? I think the test case here is more valuable than the patch, since this is code that changes a lot, and this mistake can easily be reintroduced. It looks like the key to this bug is invoking tryBuildGetByIDList(), with an object whose prototype is explicitly null. So, you can probably get this to happen by writing a test case where we repeatedly do an access, for three or four different structures, and each structure has a null prototype. One way to get a null prototype is to explicitly set object.__proto__ = null.
var o1 = { __proto__: null, a: 0, b: 0 }; var o2 = { __proto__: null, a: 0, c: 0 }; var o3 = { __proto__: null, a: 0, d: 0 }; function access(o) { return o.a; } do a lot: access(o1) access(o2) access(o3)