It looks like https://bugs.webkit.org/show_bug.cgi?id=180306 may have broken some executions because (I'm guessing here) I call some internal objects. Explicitly ignore objects whose name starts with "$" because it's a bad idea anyways.
OK, I can reproduce the crashes locally: #0 0x000000000067c7b6 in JSC::CodeBlock::unlinkIncomingCalls() () #1 0x0000000000ce044d in JSC::ScriptExecutable::installCode(JSC::VM&, JSC::CodeBlock*, JSC::CodeType, JSC::CodeSpecializationKind) () #2 0x0000000000a1d4cc in JSC::JITWorklist::Plan::compileNow(JSC::CodeBlock*, unsigned int) () #3 0x0000000000a1a66a in JSC::JITWorklist::compileLater(JSC::CodeBlock*, unsigned int) () #4 0x0000000000a45923 in JSC::LLInt::jitCompileAndSetHeuristics(JSC::CodeBlock*, JSC::ExecState*, unsigned int) () #5 0x0000000000a44073 in llint_loop_osr () #6 0x0000000000a32964 in llint_entry () #7 0x0000000000a32c90 in llint_entry () #8 0x0000000000a2bb08 in vmEntryToJavaScript () #9 0x00000000009d4952 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () #10 0x00000000009ae252 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) () #11 0x0000000000b5b94d in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () #12 0x0000000000666419 in jscmain(int, char**) () #13 0x000000000065c1ea in main () #0 0x000000000067c7b6 in JSC::CodeBlock::unlinkIncomingCalls() () #1 0x0000000000ce044d in JSC::ScriptExecutable::installCode(JSC::VM&, JSC::CodeBlock*, JSC::CodeType, JSC::CodeSpecializationKind) () #2 0x0000000000a1d4cc in JSC::JITWorklist::Plan::compileNow(JSC::CodeBlock*, unsigned int) () #3 0x0000000000a1a66a in JSC::JITWorklist::compileLater(JSC::CodeBlock*, unsigned int) () #4 0x0000000000a45923 in JSC::LLInt::jitCompileAndSetHeuristics(JSC::CodeBlock*, JSC::ExecState*, unsigned int) () #5 0x0000000000a44073 in llint_loop_osr () #6 0x0000000000a32964 in llint_entry () #7 0x0000000000a32c90 in llint_entry () #8 0x0000000000a2bb08 in vmEntryToJavaScript () #9 0x00000000009d4952 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) () #10 0x00000000009ae252 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) () #11 0x0000000000b5b94d in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () #12 0x0000000000666419 in jscmain(int, char**) () #13 0x000000000065c1ea in main () No data members because I was silly and did a release build specifically for this, thinking to avoid all the extra failures from asserts that are occurring in debug builds (we need to get a handle on those). I can redo it with a debug build if filtering out the $ objects doesn't work and you need a better backtrace.
Created attachment 328381 [details] patch
(In reply to Michael Catanzaro from comment #1) > OK, I can reproduce the crashes locally: Does it still repo with my change?
Comment on attachment 328381 [details] patch Clearing flags on attachment: 328381 Committed r225493: <https://trac.webkit.org/changeset/225493>
All reviewed patches have been landed. Closing bug.
<rdar://problem/35838830>
(In reply to JF Bastien from comment #3) > (In reply to Michael Catanzaro from comment #1) > > OK, I can reproduce the crashes locally: > > Does it still repo with my change? No, the bots are happy again. Thanks!