Patch forthcoming.
Created attachment 328937 [details] the patch
Comment on attachment 328937 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=328937&action=review > Source/JavaScriptCore/heap/MarkedBlock.cpp:405 > + RELEASE_ASSERT(!m_isFreeListed); The old branch was never taken?
(In reply to Saam Barati from comment #2) > Comment on attachment 328937 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=328937&action=review > > > Source/JavaScriptCore/heap/MarkedBlock.cpp:405 > > + RELEASE_ASSERT(!m_isFreeListed); > > The old branch was never taken? Nope. It doesn't make sense that m_isFreeListed would be true, and if it was, simply returning couldn't possibly be the right thing to do. My best theory is this: this was landed originally in a patch where I had added that logic to support something else, and then removed that something else, but didn't remove the check.
Landed in https://trac.webkit.org/changeset/225734/webkit
<rdar://problem/35958652>