To reproduce it, click the "Enter" button in the page. [tomeu@cizrna (master) build]$ gdb --args ./Programs/GtkLauncher --enable-webgl=1 --enable-accelerated-compositing=1 http://ro.me/ ASSERTION FAILED: use.useKind() != DoubleUse ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2756) : JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge) #0 0x00007ffff23e837e in JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand (this= 0x7fffffff76a0, jit=0x7fffffff9790, use=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2756 #1 0x00007ffff23d563b in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790, node=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2943 #2 0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790, block=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106 #3 0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328 #4 0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa750, speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91 #5 0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa750, entry=..., entryWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268 #6 0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec= 0x7fff7fc002d8, codeBlock=0x40debb0, jitCode=..., jitCodeWithArityCheck=0x7fff79f171d8) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123 #7 0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc002d8, codeBlock= 0x40debb0, jitCode=..., jitCodeWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141 #8 0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc002d8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fff79f17248: 0x2202b40, jitType=JSC::JITCode::DFGJIT, effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95 #9 0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc002d8, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fff79f17248: 0x2202b40, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall) at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64 #10 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this= 0x7fff79f17180, exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80, jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529 #11 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this= 0x7fff79f17180, exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80) at ../Source/JavaScriptCore/runtime/Executable.cpp:440 #12 0x00007ffff22d977b in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fff79f17180, exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80, kind=JSC::CodeForCall) at ../Source/JavaScriptCore/runtime/Executable.h:611 #13 0x00007ffff22d5ea1 in JSC::FunctionCodeBlock::compileOptimized (this=0x29a8830, exec= 0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2690 #14 0x00007ffff247bdff in JSC::cti_optimize (args=0x7fffffffcb70) at ../Source/JavaScriptCore/jit/JITStubs.cpp:1990 #15 0x00007ffff2478387 in JSC::JITThunks::tryCacheGetByID (callFrame=0xffffca80, codeBlock= Python Exception <class 'gdb.error'> There is no member or method named m_hashAndFlags.: 0x7ffff22d977b, returnAddress=..., baseValue=..., propertyName=, slot=..., stubInfo= 0x7fff00000589) at ../Source/JavaScriptCore/jit/JITStubs.cpp:975 #16 0x00007fffffffcba0 in ?? () #17 0x00007fff00000589 in ?? () #18 0x0000000001d8a128 in ?? () #19 0x00007fff4d0a8d80 in ?? () #20 0x00007fff00000004 in ?? () #21 0x00007fff79ef1a80 in ?? () #22 0x00007fffffffcbd0 in ?? () #23 0x00007ffff229fa43 in JSC::JSValue::decode (ptr=0x45e7e8c78948104d) at ../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:336 Backtrace stopped: previous frame inner to this frame (corrupt stack?)