[Webkit-unassigned] [Bug 241538] New: JavascriptCore Crash on iOS16.0

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=241538

            Bug ID: 241538
           Summary: JavascriptCore Crash on iOS16.0
           Product: WebKit
           Version: Other
          Hardware: All
                OS: Other
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 894110476 at qq.com

we found a crash on our crash report system. we didn't reproduce it. from our system, we found serveral features below:

first, it may happened much times on one device;
second, it may happened on low-memory device.
finally, it may happened related to webview and react-native.

Thread 0（crashed）

1       JavaScriptCore  WTF::StringImpl::hashSlowCase() const (in JavaScriptCore) + 132
2       JavaScriptCore  WTF::HashTable<WTF::Packed<WTF::StringImpl*>, WTF::Packed<WTF::StringImpl*>, WTF::IdentityExtractor, WTF::DefaultHash<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> >, WTF::HashTraits<WTF::Packed<WTF::StringImpl*> > >::rehash(unsigned int, WTF::Packed<WTF::StringImpl*>*) (in JavaScriptCore) + 308
3       JavaScriptCore  WTF::AtomStringImpl::remove(WTF::AtomStringImpl*) (in JavaScriptCore) + 448
4       JavaScriptCore  WTF::StringImpl::~StringImpl() (in JavaScriptCore) + 76
5       JavaScriptCore  JSC::Structure::destroy(JSC::JSCell*) (in JavaScriptCore) + 104
6       JavaScriptCore  JSC::HeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const (in JavaScriptCore) + 5540
7       JavaScriptCore  JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (in JavaScriptCore) + 1164
8       JavaScriptCore  JSC::MarkedSpace::lastChanceToFinalize() (in JavaScriptCore) + 136
9       JavaScriptCore  JSC::Heap::lastChanceToFinalize() (in JavaScriptCore) + 372
10      JavaScriptCore  JSC::VM::~VM() (in JavaScriptCore) + 656
11      JavaScriptCore  JSC::JSLockHolder::~JSLockHolder() (in JavaScriptCore) + 316
12      JavaScriptCore  -[JSVirtualMachine dealloc] (in JavaScriptCore) + 84
13      libobjc.A.dylib object_cxxDestructFromClass(objc_object*, objc_class*) (in libobjc.A.dylib) + 116
14      libobjc.A.dylib objc_destructInstance (in libobjc.A.dylib) + 80
15      libobjc.A.dylib _objc_rootDealloc (in libobjc.A.dylib) + 80
16      JavaScriptCore  -[JSContext dealloc] (in JavaScriptCore) + 76
17      JavaScriptCore  -[JSValue dealloc] (in JavaScriptCore) + 148
18      libobjc.A.dylib AutoreleasePoolPage::releaseUntil(objc_object**) (in libobjc.A.dylib) + 196
19      libobjc.A.dylib objc_autoreleasePoolPop (in libobjc.A.dylib) + 256
20      CoreFoundation  _CFAutoreleasePoolPop (in CoreFoundation) + 32
21      CoreFoundation  __CFRunLoopPerCalloutARPEnd (in CoreFoundation) + 48
22      CoreFoundation  __CFRunLoopRun (in CoreFoundation) + 2076
23      CoreFoundation  CFRunLoopRunSpecific (in CoreFoundation) + 612
24      GraphicsServices        GSEventRunModal (in GraphicsServices) + 164
25      UIKitCore       -[UIApplication _run] (in UIKitCore) + 888
26      UIKitCore       UIApplicationMain (in UIKitCore) + 340
27      OurAppication   main (in JD4iPhone) (main.m:15)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220612/1b19910f/attachment.htm>