The problem is that we may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess. Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie() notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess replaces its m_stubRoutine.
Created attachment 263539 [details] patch
Comment on attachment 263539 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=263539&action=review r=me > Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:129 > +GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler() > +{ > } maybe get rid of the destructor now since you don't need it anymore. > Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h:101 > ~GCAwareJITStubRoutineWithExceptionHandler() override; No need to override if we don't need it.
Thanks for the review. I've included your suggestions in the landed patch. landed in: http://trac.webkit.org/changeset/191350