Pull request: https://github.com/WebKit/WebKit/pull/11086

Committed 262068@main (f2f3c91fa89c): <https://commits.webkit.org/262068@main>

Reviewed commits have been landed. Closing PR #11086 and removing active labels.

WinCairo is crashing.
https://build.webkit.org/#/builders/728/builds/433

This crash is reproducible with WinCairo Debug MiniBrowser just by loading https://www.apple.com/ .

I'm obsering two crash backtraces.

Backtrace 1:

> ASSERTION FAILED: callFrame
> C:\home\webkit\gc\Source\JavaScriptCore\interpreter\FrameTracers.h(120) : JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer
> The thread 0x7b88 has exited with code 0 (0x0).
> 1   00007FFA6436249B WTFCrash
> 2   00007FFA579AEEFE WTFCrashWithInfo
> 3   00007FFA5834BAB1 JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer
> 4   00007FFA58286BFF operationEnumeratorNextUpdateIndexAndMode
> 5   000001E34236CC61 (null)
> Exception thrown at 0x00007FFA643624A0 (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF.

Backtrace 2:

> Exception thrown: read access violation.
> **vm** was 0xFFFFFFFFFFFF62A7.

> JavaScriptCore.dll!operationEnumeratorNextUpdateIndexAndMode(JSC::JSGlobalObject * globalObject, __int64 baseValue, unsigned int index, int modeNumber, JSC::JSPropertyNameEnumerator * enumerator) Line 2359	C++
> 000002ab0008dac5()	Unknown
> 000002ab6e659ef8()	Unknown
> 000002ab70b38540()	Unknown

This crash can be worked around by setting a env var.

> $env:JSC_useDFGJIT = 0

I can't fix this bug quickly. I'm going to revert 262068@main. I will take a look more the next week.

Re-opened since this is blocked by bug 254467

Relanded by 262135@main.

rdar://107247266