There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders from its m_signalSenders list) and SignalSender::send() (which removes itself from the list). In the event that SignalSender::send() removes itself between the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up with a NULL sender pointer. The fix is add the missing null check before using the sender pointer.
Created attachment 304411 [details]
Created attachment 304412 [details]
proposed patch: rebased to ToT.
Thanks for the review. Landed in r213930: <http://trac.webkit.org/r213930>.