I've seen this before, but hadn't moved it upstream yet. Great that you found a reproducer. It looks like this crash is fairly rare; we only have 86 reports of it total in Fedora. I've got a backtrace, but unfortunately as with any JSC crash it's of quite limited value: #0 0x00007fd5ae464660 in JSC::JSValue::isString() const (this=0x7ffd44060e00) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576 #1 0x00007fd5ae464660 in JSC::JSValue::equalSlowCaseInline(JSC::ExecState*, JSC::JSValue, JSC::JSValue) (v2=..., v1=..., exec=0x7ffd44060f80) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:930 #2 0x00007fd5ae464660 in JSC::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue) (exec=0x7ffd44060f80, encodedOp1=<optimized out>, encodedOp2=<optimized out>) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/jit/JITOperations.cpp:1086 #3 0x00007fd54823be14 in () #4 0x00007fd4fcd44908 in () #5 0xffff000000000000 in () #6 0xffff000000000002 in () #7 0x00007fd5482324fe in () #8 0xffff000000000000 in () #9 0xffff000000000000 in () #10 0xffff000000000000 in () #11 0x00007fd5120bbbe0 in () #12 0x00007fd5107a3640 in () #13 0x00007fd5ae852c5e in bmalloc::PerThreadStorage<bmalloc::Cache>::get() () at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/PerThread.h:94 #14 0x00007fd5ae852c5e in bmalloc::PerThread<bmalloc::Cache>::getFastCase() () at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/PerThread.h:118 #15 0x00007fd5ae852c5e in bmalloc::Cache::allocate(unsigned long) (size=140553723314176) at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/Cache.h:77 #16 0x00007fd5ae852c5e in bmalloc::api::malloc(unsigned long) (size=140553723314176) at /usr/src/debug/webkitgtk-2.16.1/Source/bmalloc/bmalloc/bmalloc.h:43 #17 0x00007fd5ae852c5e in WTF::fastMalloc(unsigned long) (size=140553723314176) at /usr/src/debug/webkitgtk-2.16.1/Source/WTF/wtf/FastMalloc.cpp:256 #18 0x00007fd5ae75016a in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:53 end = <optimized out> #19 0x00007fd5ae75016a in JSC::PropertyTable::PropertyTable(JSC::VM&, JSC::PropertyTable const&) (this=0x7fd4ef1497a8, vm=..., other=...) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/PropertyTable.cpp:77 end = <optimized out> #20 0xffff0000793cc336 in () #21 0x0000000000000008 in () #22 0x00007fd4ef181b90 in () #23 0x00007fd5106d1c80 in () #24 0x00007fd5107a3640 in () #25 0x00007fd53697e6e0 in () #26 0x00007fd5120a1260 in () #27 0x00007fd5106d1c80 in () #28 0x00007ffd00000000 in () #29 0x00007fd400000000 in () #30 0x00007fd4ef1b6920 in () #31 0x00007fd4ef181b90 in () #32 0x00007fd5793cc336 in () #33 0x00007fd4ef181b90 in () #34 0x00007fd53697e6e0 in () #35 0x00007fd4ef14c9a0 in () #36 0x00007fd4ef151b70 in () #37 0x00007fd512422068 in () #38 0x00007fd536c00000 in () #39 0x00007fd52ac91460 in () #40 0x00007fd4fcd44908 in () #41 0xffff000000000000 in () #42 0xffff000000000002 in () #43 0x00007ffd44061000 in () #44 0x00007fd54812df1a in () #45 0x00007fd4f483b8e0 in () #46 0x00007fd5121745b0 in () #47 0x0000000300000003 in () #48 0x00007fd512422068 in () #49 0x00007fd4ef1adc20 in () #50 0x00007fd4ef151b70 in () #51 0x00007fd5121745b0 in () #52 0x00007fd512179000 in () #53 0x00007fd4ef151b70 in () #54 0x00007fd512422068 in () #55 0x00007fd512422068 in () #56 0x00007fd4fcd44908 in () #57 0xffff000000000000 in () #58 0xffff000000000002 in () #59 0x00007ffd44061080 in () #60 0x00007fd54814f80a in () #61 0x00007fd510686020 in () #62 0x00007fd512179000 in () #63 0x000000aa00000002 in () #64 0x00007fd4ef14e8a0 in () #65 0x00007fd4ef1adc20 in () #66 0xffff000000000000 in () #67 0x00007ffd440610e0 in () #68 0x00007fd4ef151b40 in () #69 0x00007fd4f48be260 in () #70 0x00007fd536c00000 in () #71 0x00007fd52ac91460 in () #72 0x00007fd4fcd44908 in () #73 0xffff000000000000 in () #74 0xffff000000000002 in () #75 0x00007ffd44061150 in () #76 0x00007fd5481f13c6 in () #77 0x00007fd4f493fb20 in () #78 0x00007fd51214edd0 in () #79 0x0000000000000001 in () #80 0x00007fd4ef151b40 in () #81 0x000000000000000a in () #82 0x00007fd512422068 in () #83 0x00007fd512422068 in () #84 0x00007fd4ef151b40 in () #85 0x00007fd4ef1adc20 in () #86 0xffff000000000002 in () #87 0x00007ffd44061190 in () #88 0x00007fd4ef150a30 in () #89 0x00007fd51067c2e0 in () #90 0x00007fd5ae21ed6b in JSC::DFG::operationNewEmptyArray(JSC::ExecState*, JSC::Structure*) (exec=<optimized out>, arrayStructure=0x7fd4ef182050) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCellInlines.h:168 #91 0x00007fd4fcd44908 in () #92 0xffff000000000000 in () #93 0xffff000000000002 in () #94 0x00007ffd440611e0 in () #95 0x00007fd5ae4c0c91 in llint_entry () at /lib64/libjavascriptcoregtk-4.0.so.18

Created attachment 308860 [details] Backtrace, registers, assembler, etc. I'm attaching the backtrace from Red Hat Bugzilla, as it shows extras like register state and assembler dump that I think could be helpful for this bug. Note the crash is here: #0 JSC::JSValue::isString (this=0x7ffdb95fefe0) at /usr/src/debug/webkitgtk-2.16.1/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:576 576 return isCell() && asCell()->isString();

Also note that the Red Hat Bugzilla trace shows a *slightly* different crash, as it shows JSC::DFG::operationValueAddNotNumber at frame 36, while my trace above instead shows JSC::DFG::operationNewEmptyArray at frame 90. But I bet it's the same underlying issue.

The test page is working fine for me with the MiniBrowser on today's trunk (r216073). So I guess this was fixed between 2.16.0=r212635 and r216073.

Good to know, thanks Carlos. Unfortunately that's 3438 commits to look through. Hey JSC devs, does this trace look familiar? Maybe someone will remember fixing this recently?

*** This bug has been marked as a duplicate of bug 173643 ***