Created attachment 155395 [details] dump of crash log

0 com.apple.JavaScriptCore 0x0000000107c57140 JSC::DFG::dfgBuildPutByIdList(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind) + 448 1 com.apple.JavaScriptCore 0x0000000107c4bf01 operationPutByIdStrictBuildListWithReturnAddress + 241 2 ??? 0x00004aac23e85bbd 0 + 82103197260733 3 com.apple.JavaScriptCore 0x0000000107cb87f4 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::ScopeChainNode*, int) + 1140 > I'm using the release Safari to do this now. The crash on Google Maps appears to be a nightly-only issue, I suspect that the crash you got in released Safari/WebKit was different.

new nightly does not fix this problem. Version 6.0 (7536.25, 537+)

I cannot repro in a debug build. Trying release.

I cannot reproduce in a release build of r124487. I was able to click on all sorts of things, get directions, etc. Do you have any extensions installed? Can you give more specific repro steps? Alexey, were you ever able to reproduce this?

I have several extensions installed. I've disabled them and used the most recent nightly and still got the crash.

(In reply to comment #6) > I have several extensions installed. I've disabled them and used the most recent nightly and still got the crash. Can you give me a specific set of actions that will lead to a crash? I'd really like to fix this, but I currently cannot cause the crash to happen at all. The title implies that I can "click on just about anything". I've clicked on various things that I can think to click on, but none of them result in crashes.

"I suspect that the crash you got in released Safari/WebKit was different." I did not get a crash in the Safari release. Only in the nightly. And now there have been three nightlies released which all have the crash. The crash log looks similar to me so I haven't attached any new ones.

"I suspect that the crash you got in released Safari/WebKit was different." I did not get a crash in the Safari release. Only in the nightly. And now there have been three nightlies released which all have the crash. The crash log looks similar to me so I haven't attached any new ones.

Created attachment 156180 [details] latest crash log

often simply navigating to maps.google.com will cause the crash.

(In reply to comment #7) > (In reply to comment #6) > > I have several extensions installed. I've disabled them and used the most recent nightly and still got the crash. > > Can you give me a specific set of actions that will lead to a crash? I'd really like to fix this, but I currently cannot cause the crash to happen at all. The title implies that I can "click on just about anything". I've clicked on various things that I can think to click on, but none of them result in crashes. I'm baffled that you don't get the crash. Simply opening maps.google.com will cause it sometimes.

newest nightly also crashes, just by opening maps.google.com

I can reproduce this. With a debug build and GuardMalloc, the stack trace is: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010c604d98 JSC::DFG::Node::child1() + 24 (DFGNode.h:805) 1 com.apple.JavaScriptCore 0x000000010c94526d JSC::DFG::StructureCheckHoistingPhase::run() + 7197 (DFGStructureCheckHoistingPhase.cpp:366) 2 com.apple.JavaScriptCore 0x000000010c9433b5 bool JSC::DFG::runAndLog<JSC::DFG::StructureCheckHoistingPhase>(JSC::DFG::StructureCheckHoistingPhase&) + 21 (DFGPhase.h:83) 3 com.apple.JavaScriptCore 0x000000010c943345 bool JSC::DFG::runPhase<JSC::DFG::StructureCheckHoistingPhase>(JSC::DFG::Graph&) + 37 (DFGPhase.h:95) 4 com.apple.JavaScriptCore 0x000000010c9431f8 JSC::DFG::performStructureCheckHoisting(JSC::DFG::Graph&) + 40 (DFGStructureCheckHoistingPhase.cpp:473) 5 com.apple.JavaScriptCore 0x000000010c645179 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*) + 809 (DFGDriver.cpp:105) 6 com.apple.JavaScriptCore 0x000000010c644e44 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 52 (DFGDriver.cpp:145)

(In reply to comment #14) > I can reproduce this. With a debug build and GuardMalloc, the stack trace is: > > Thread 0 Crashed:: Dispatch queue: com.apple.main-thread > 0 com.apple.JavaScriptCore 0x000000010c604d98 JSC::DFG::Node::child1() + 24 (DFGNode.h:805) > 1 com.apple.JavaScriptCore 0x000000010c94526d JSC::DFG::StructureCheckHoistingPhase::run() + 7197 (DFGStructureCheckHoistingPhase.cpp:366) > 2 com.apple.JavaScriptCore 0x000000010c9433b5 bool JSC::DFG::runAndLog<JSC::DFG::StructureCheckHoistingPhase>(JSC::DFG::StructureCheckHoistingPhase&) + 21 (DFGPhase.h:83) > 3 com.apple.JavaScriptCore 0x000000010c943345 bool JSC::DFG::runPhase<JSC::DFG::StructureCheckHoistingPhase>(JSC::DFG::Graph&) + 37 (DFGPhase.h:95) > 4 com.apple.JavaScriptCore 0x000000010c9431f8 JSC::DFG::performStructureCheckHoisting(JSC::DFG::Graph&) + 40 (DFGStructureCheckHoistingPhase.cpp:473) > 5 com.apple.JavaScriptCore 0x000000010c645179 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*) + 809 (DFGDriver.cpp:105) > 6 com.apple.JavaScriptCore 0x000000010c644e44 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 52 (DFGDriver.cpp:145) This appears to be a separate bug, since prior to http://trac.webkit.org/changeset/124404 we didn't even have this code. Creating a separate bug 93157.

Oh well. So, new debug crash is: ASSERTION FAILED: stubInfo.accessType == access_put_by_id_replace || stubInfo.accessType == access_put_by_id_transition_normal || stubInfo.accessType == access_put_by_id_transition_direct /Users/ap/Safari/OpenSource/Source/JavaScriptCore/bytecode/PolymorphicPutByIdList.cpp(105) : static JSC::PolymorphicPutByIdList *JSC::PolymorphicPutByIdList::from(JSC::PutKind, JSC::StructureStubInfo &, JSC::MacroAssemblerCodePtr) 1 0x105220cf8 JSC::PolymorphicPutByIdList::from(JSC::PutKind, JSC::StructureStubInfo&, JSC::MacroAssemblerCodePtr) 2 0x104f92dd2 _ZN3JSC3DFGL19tryBuildPutByIdListEPNS_9ExecStateENS_7JSValueERKNS_10IdentifierERKNS_15PutPropertySlotERNS_17StructureStubInfoENS_7PutKindE 3 0x104f92bc5 JSC::DFG::dfgBuildPutByIdList(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::PutPropertySlot const&, JSC::StructureStubInfo&, JSC::PutKind) 4 0x104f7dfa2 operationPutByIdStrictBuildListWithReturnAddress 5 0x10c30c14d 6 0x1050284c4 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 7 0x10502522f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)

Created attachment 156489 [details] the patch

Comment on attachment 156489 [details] the patch r=me

Landed in http://trac.webkit.org/changeset/124678. I'm closing this bug, but I'm relying on you guys to repro since I could never repro on my machine. Please reopen if I failed to fix it!