Summary: Crash under ShadowChicken::update / ExecState::scope when debugging nytimes. I'm at r213392. Steps to reproduce: 1. Inspect http://nytimes.com 2. Reload, wait a while => Crash (lldb) c Process 29581 resuming Process 29581 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x3503a3c00098) frame #0: 0x0000000107c7de8c JavaScriptCore`JSC::MarkedBlock::vm(this=0x00003503a3c00000) const at MarkedBlock.h:411 408 409 inline VM* MarkedBlock::vm() const 410 { -> 411 return m_vm; 412 } 413 414 inline WeakSet& MarkedBlock::Handle::weakSet() # Seems related to running out of stack (there are well over 1000 frames in a loop) (lldb) btjs * thread #1: tid = 0xa219a4, 0x0000000107c7de8c, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=2, addre?$3#? frame #0: 0x0000000107c7de8c JavaScriptCore`JSC::MarkedBlock::vm(this=0x00003503a3c00000) const at MarkedBlock.h:411 frame #1: 0x0000000107c7ddf1 JavaScriptCore`JSC::HeapCell::vm(this=0x00003503a3c01660) const at HeapCellInlines.h:67 frame #2: 0x00000001081eb60b JavaScriptCore`JSC::JSScope* JSC::jsCast<JSC::JSScope*, JSC::JSCell>(from=0x00003503a3c01660) at JSCell.h:273 frame #3: 0x00000001081e47ed JavaScriptCore`JSC::Register::scope(this=0x00007fff5d026790) const at JSScope.h:144 frame #4: 0x000000010822d0fe JavaScriptCore`JSC::ExecState::scope(this=0x00007fff5d0267b0, scopeRegisterOffset=-4) const at CallFrame.h:98 frame #5: 0x0000000108dec0b3 JavaScriptCore`JSC::ShadowChicken::update(this=0x00007fff5d0263d8, visitor=0x00007fff5d026290)::$_1::operator()(JSC::StackVisitor&) const at ShadowChicken.cpp:302 frame #6: 0x0000000108deaaf8 JavaScriptCore`void JSC::StackVisitor::visit<JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*)::$_1>(startFrame=0x00007fff5d0267b0, functor=0x00007fff5d0263d8)::$_1 const&) at StackVisitor.h:137 frame #7: 0x0000000108dea44f JavaScriptCore`JSC::ShadowChicken::update(this=0x000000011b3c9180, vm=0x0000000120800000, exec=0x00007fff5d0267b0) at ShadowChicken.cpp:275 frame #8: 0x0000000108de9d20 JavaScriptCore`JSC::ShadowChicken::log(this=0x000000011b3c9180, vm=0x0000000120800000, exec=0x00007fff5d0267b0, packet=0x00007fff5d0265e0) at ShadowChicken.cpp:83 frame #9: 0x0000000108979eed JavaScriptCore`JSC::genericUnwind(vm=0x0000000120800000, callFrame=0x00007fff5d0267b0, unwindStart=UnwindFromCurrentFrame) at JITExceptions.cpp:60 frame #10: 0x000000010897a22f JavaScriptCore`JSC::genericUnwind(vm=0x0000000120800000, callFrame=0x00007fff5d0267b0) at JITExceptions.cpp:96 frame #11: 0x0000000108b91a02 JavaScriptCore`::llint_slow_path_handle_exception(exec=0x00007fff5d0267b0, pc=0x00007f8b03804950) at LLIntSlowPaths.cpp:1518 frame #12: 0x0000000108b9b5db h#B1gxSr [LLInt](Cell[JSLexicalEnvironment ID: 28826]: 0x1234ddb20, "https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined") frame #13: 0x0000000108b9df8f w#D8YyHm [LLInt](Cell[Object ID: 4683]: 0x13b5764a0, "https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined") frame #14: 0x0000000108b9df8f de#BHPGKi [LLInt](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf640, "https://www.nytimes.com/?WT.z_jog=1&hF=t&vS=undefined") frame #15: 0x00003503a4535bdb $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf640) frame #16: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x frame #17: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460) frame #18: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b740) frame #19: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf160, "customutil") frame #20: 0x00003503a3e99ffc $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bf160) frame #21: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x frame #22: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460) frame #23: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b790) frame #24: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bec80, "customutil") frame #25: 0x00003503a3e99ffc $#Bwzogy [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6bec80) frame #26: 0x00003503a498a6fc #C0Iknr [Baseline](Undefined, Cell[Object ID: 4683]: 0x13b5764a0, Cell[Object ID: 5944]: 0x13b9e9020, Cell[Object ID: 36843]: 0x13f9637c0, Cell[Object ID: 4698]: 0x1392d7aa0, Cell[Object ID: 5949]: 0x frame #27: 0x00003503a3e97bff i#Awig6o [DFG](Undefined, Cell[Array ID: 24604]: 0x137020610, Cell[Function ID: 24686]: 0x139528460) frame #28: 0x00003503a3e97bff i#Awig6o [DFG](Cell[JSDOMWindowShell ID: 8373]: 0x120bd40a0, Cell[Array ID: 24604]: 0x12cd7b800) frame #29: 0x00003503a3c3b158 ge#CicR9j [Baseline](Cell[JSLexicalEnvironment ID: 28826]: 0x13a6be7a0, "customutil") ... # Looks like it is important to have Web Inspector open for Debugging opcodes, which looks up the scope differently (lldb) f 5 frame #5: 0x0000000108dec0b3 JavaScriptCore`JSC::ShadowChicken::update(this=0x00007fff5d0263d8, visitor=0x00007fff5d026290)::$_1::operator()(JSC::StackVisitor&) const at ShadowChicken.cpp:302 299 JSScope* scope = nullptr; 300 CodeBlock* codeBlock = callFrame->codeBlock(); 301 if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) { -> 302 scope = callFrame->scope(codeBlock->scopeRegister().offset()); 303 RELEASE_ASSERT(scope->inherits(vm, JSScope::info())); 304 } else if (foundFrame) { 305 scope = m_log[indexInLog].scope;
<rdar://problem/31800894>
I am unable to reproduce this now in trunk. Its possible this bug still exists and the page has changed, or its possible that this issue has been fixed in the meantime. I think we can close and if someone comes across this crash again file a new bug.