Created attachment 421602 [details] GTK release local crash log imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/evaluation-order-4-tla.html Debug builds passing. Trace: Thread 1 (Thread 0x7f9cb2c989c0 (LWP 157)): #0 0x00007f9cb8886558 in JSC::mapProtoFuncSet(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #1 0x00007f9c71fff1d8 in () #2 0x00007ffed90c73a0 in () #3 0x00007f9cb79c2323 in llint_op_call () at /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 #4 0x0000000000000000 in () Printf'ing, the crash seems to occur in the map->set(..) call inside mapProtoFuncSet. Full trace attached.
Interesting... this crash doesn't seem to happen on the Mac port. I'm not sure what would be different about the GTK build? Is it possible to figure out what line in mapProtoFuncSet we are crashing on?
(In reply to Keith Miller from comment #1) > Interesting... this crash doesn't seem to happen on the Mac port. I'm not > sure what would be different about the GTK build? Is it possible to figure > out what line in mapProtoFuncSet we are crashing on? I could not get a proper backtrace, but it's consistently crashing accessing the string content in the first iter->key() when rehashing a map right after inserting the key "http://localhost:8800/html/semantics/scripting-1/the-script-element/module/evaluation-order-4.2.mjs". (e.g. asString(iter->key())->length() is enough to crash).
<rdar://problem/75074133>
Crash is gone after r274239 / bug223039.