Patch forthcoming.
Created attachment 286802 [details] skipping patch
Skipped in http://trac.webkit.org/changeset/204867
I'm pretty sure I know what is going on: if we put a new butterfly with more out-of-line capacity (or more pre-capacity) into an object with an old structure (or with m_indexBias reflecting the old pre-capacity) then we won't quite know how to find the base, since that calculation currently relies on the structure and m_indexBias. This is the code that causes this: char* JIT_OPERATION operationReallocateButterflyToGrowPropertyStorage(ExecState* exec, JSObject* object, size_t newSize) { VM& vm = exec->vm(); NativeCallFrameTracer tracer(&vm, exec); DeferGC deferGC(vm.heap); Butterfly* result = object->growOutOfLineStorage(vm, object->structure()->outOfLineCapacity(), newSize); object->setButterflyWithoutChangingStructure(vm, result); return reinterpret_cast<char*>(result); } Intriguingly, the use of DeferGC is one of the causes. It causes GC to run after we have already set the butterfly, rather than in a state where the object still points to the "right" butterfly for its structure. I'm tempted to say that the solution is to simply remove the DeferGC! If we do that then the GC will happen exactly where we want it to: inside growOutOfLineStorage(). That's a fine place to GC, since the object will still be in a sane state in that method.
*** Bug 161114 has been marked as a duplicate of this bug. ***
I have fixes for these crashes, I'm testing them now.
Created attachment 286835 [details] the patch
Comment on attachment 286835 [details] the patch r=me.
Landed in https://trac.webkit.org/changeset/204901