On Mountain Lion on WebKit trunk r127470, I usually get at least one crash in the fast/profiler layout tests when looking up the scope on a JSFunction during recompilation. Since http://trac.webkit.org/changeset/127202 changed how this stuff works in JSC recently, I'm choosing it as the revision to blame :-) Here's a stack trace (from fast/profiler/document-dot-write.html): Process: DumpRenderTree [6124] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: 0 Code Type: X86-64 (Native) Parent Process: Python [6082] User ID: 501 Date/Time: 2012-09-04 11:22:28.458 -0700 OS Version: Mac OS X 10.8.1 (12B19) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000008 VM Regions Near 0x8: --> __TEXT 0000000100ae9000-0000000100b8a000 [ 644K] r-x/rwx SM=COW /Volumes/VOLUME/* Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000100d747dc JSC::WriteBarrierBase<JSC::Structure>::unvalidatedGet() const + 12 (WriteBarrier.h:139) 1 com.apple.JavaScriptCore 0x0000000100d6fe8c JSC::JSCell::unvalidatedStructure() + 28 (JSCell.h:147) 2 com.apple.JavaScriptCore 0x0000000100f8a4b7 JSC::slowValidateCell(JSC::JSCell*) + 71 (JSCell.cpp:167) 3 com.apple.JavaScriptCore 0x0000000100d6d035 void JSC::validateCell<JSC::JSCell*>(JSC::JSCell*) + 21 (WriteBarrier.h:56) 4 com.apple.JavaScriptCore 0x0000000100d8132d JSC::WriteBarrierBase<JSC::JSScope>::get() const + 45 (WriteBarrier.h:104) 5 com.apple.JavaScriptCore 0x0000000100d80f57 JSC::JSFunction::scope() + 119 (JSFunction.h:75) 6 com.apple.JavaScriptCore 0x0000000100e16bcf (anonymous namespace)::Recompiler::operator()(JSC::JSCell*) + 207 (Debugger.cpp:81) 7 com.apple.JavaScriptCore 0x0000000100e16ada void JSC::MarkedBlock::forEachCell<(anonymous namespace)::Recompiler>((anonymous namespace)::Recompiler&) + 122 (MarkedBlock.h:411) 8 com.apple.JavaScriptCore 0x0000000100e167af (anonymous namespace)::Recompiler::ReturnType JSC::MarkedSpace::forEachCell<(anonymous namespace)::Recompiler>((anonymous namespace)::Recompiler&) + 159 (MarkedSpace.h:148) 9 com.apple.JavaScriptCore 0x0000000100e166ce JSC::Debugger::recompileAllJSFunctions(JSC::JSGlobalData*) + 174 (Debugger.cpp:121) 10 com.apple.WebCore 0x000000010333b289 WebCore::PageScriptDebugServer::recompileAllJSFunctions(WebCore::Timer<WebCore::ScriptDebugServer>*) + 105 (PageScriptDebugServer.cpp:118) 11 com.apple.WebCore 0x00000001036c04b3 WebCore::Timer<WebCore::ScriptDebugServer>::fired() + 115 (Timer.h:100) 12 com.apple.WebCore 0x0000000103a06b4d WebCore::ThreadTimers::sharedTimerFiredInternal() + 285 (ThreadTimers.cpp:118) 13 com.apple.WebCore 0x0000000103a068e9 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 14 com.apple.WebCore 0x0000000103747d23 WebCore::timerFired(__CFRunLoopTimer*, void*) + 67 (SharedTimerMac.mm:167) 15 com.apple.CoreFoundation 0x00007fff8a7314b4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 16 com.apple.CoreFoundation 0x00007fff8a730fcd __CFRunLoopDoTimer + 557 17 com.apple.CoreFoundation 0x00007fff8a7167b9 __CFRunLoopRun + 1513 18 com.apple.CoreFoundation 0x00007fff8a715dd2 CFRunLoopRunSpecific + 290 19 com.apple.Foundation 0x00007fff85555ace -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 20 DumpRenderTree 0x0000000100b00df1 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 4977 (DumpRenderTree.mm:1362) 21 DumpRenderTree 0x0000000100aff9fa runTestingServerLoop() + 282 (DumpRenderTree.mm:832) 22 DumpRenderTree 0x0000000100aff2b7 dumpRenderTree(int, char const**) + 391 (DumpRenderTree.mm:879) 23 DumpRenderTree 0x0000000100b015f9 main + 105 (DumpRenderTree.mm:916) 24 libdyld.dylib 0x00007fff835a17e1 start + 1