<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)"
href="https://bugs.webkit.org/show_bug.cgi?id=159588">159588</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>msaboff@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Here is the stack trace from within the debugger:
(lldb) btjs
* thread #1: tid = 0x1ca2eee, 0x00000001086ca294, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, addre\320
1
frame #0: 0x00000001086ca294 JavaScriptCore`::WTFCrash() + 36 at Assertions.cpp:323
frame #1: 0x00000001084f58d0 JavaScriptCore`JSC::SlotVisitor::appendToMarkStack(this=0x0000000104ff5498, cell=0x0000000106877490) + 80 at SlotVisitor.cpp:176
frame #2: 0x0000000107f9e45b JavaScriptCore`JSC::Heap::addToRememberedSet(this=0x0000000104ff1018, cell=0x0000000106877490) + 251 at Heap.cpp:1085
frame #3: 0x00000001077ebced JavaScriptCore`JSC::Heap::writeBarrier(this=0x0000000104ff1018, from=0x0000000106877490) + 237 at HeapInlines.h:121
frame #4: 0x0000000107e7cfc0 JavaScriptCore`JSC::ScriptExecutable::installCode(this=0x0000000106877490, vm=0x0000000104ff1000, genericCodeBlock=0x000000010686b280, codeType=FunctionCode, kind=CodeForCall) + 1744 at Executable.cpp:266
frame #5: 0x000000010797d341 JavaScriptCore`JSC::CodeBlock::jettison(this=0x0000000106845e40, reason=JettisonDueToUnprofiledWatchpoint, mode=CountReoptimization, detail=0x00007fff5b2564e8) + 1569 at CodeBlock.cpp:3481
frame #6: 0x00000001079a8682 JavaScriptCore`JSC::CodeBlockJettisoningWatchpoint::fireInternal(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 130 at CodeBlockJettisoningWatchpoint.cpp:40
frame #7: 0x00000001086796d2 JavaScriptCore`JSC::Watchpoint::fire(this=0x000000010dbfb9d8, detail=0x00007fff5b2564e8) + 114 at Watchpoint.cpp:56
frame #8: 0x0000000108679d28 JavaScriptCore`JSC::WatchpointSet::fireAllWatchpoints(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 408 at Watchpoint.cpp:131
frame #9: 0x0000000108679b84 JavaScriptCore`JSC::WatchpointSet::fireAllSlow(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 116 at Watchpoint.cpp:92
frame #10: 0x00000001079037a0 JavaScriptCore`JSC::WatchpointSet::fireAll(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 80 at Watchpoint.h:160
frame #11: 0x000000010790373e JavaScriptCore`JSC::WatchpointSet::invalidate(this=0x000000010dbfbc30, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 62 at Watchpoint.h:186
frame #12: 0x0000000107fc502a JavaScriptCore`JSC::InlineWatchpointSet::invalidate(this=0x000000010683eae8, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 74 at Watchpoint.h:315
frame #13: 0x0000000107fc4d1b JavaScriptCore`JSC::InferredValue::invalidate(this=0x000000010683eae0, vm=0x0000000104ff1000, detail=0x00007fff5b2564e8) + 75 at InferredValue.h:94
frame #14: 0x0000000107fc4fd0 JavaScriptCore`JSC::InferredValue::ValueCleanup::finalizeUnconditionally(this=0x0000000104d1bed0) + 304 at InferredValue.cpp:128
frame #15: 0x00000001084f7448 JavaScriptCore`JSC::SlotVisitor::finalizeUnconditionalFinalizers(this=0x0000000104ff5498) + 88 at SlotVisitor.cpp:460
frame #16: 0x0000000107f9a9db JavaScriptCore`JSC::Heap::finalizeUnconditionalFinalizers(this=0x0000000104ff1018) + 43 at Heap.cpp:486
frame #17: 0x0000000107f9eba6 JavaScriptCore`JSC::Heap::collectImpl(this=0x0000000104ff1018, collectionType=FullCollection, stackOrigin=0x00007fff5b259000, stackTop=0x00007fff5b256718, calleeSavedRegisters=0x00007fff5b256730) [37]) + 1478 at Heap.cpp:1179
frame #18: 0x0000000107f9e59d JavaScriptCore`JSC::Heap::collect(this=0x0000000104ff1018, collectionType=FullCollection) + 141 at Heap.cpp:1107
frame #19: 0x0000000107f9e4c5 JavaScriptCore`JSC::Heap::collectAndSweep(this=0x0000000104ff1018, collectionType=FullCollection) + 53 at Heap.cpp:1093
frame #20: 0x00000001049aac0a jsc`JSC::Heap::collectAllGarbage(this=0x0000000104ff1018) + 26 at Heap.h:168
frame #21: 0x00000001049b50ed jsc`functionGCAndSweep(exec=0x00007fff5b256860) + 45 at jsc.cpp:1326
frame #22: 0x000044fcad601028
frame #23: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753
frame #24: 0x000044fcad628635
frame #25: 0x000044fcad61fdf1
frame #26: 0x00000001082f7e0c JavaScriptCore`llint_entry + 28040 at LowLevelInterpreter.asm:753
frame #27: 0x00000001082f0e6e JavaScriptCore`vmEntryToJavaScript + 334 at LowLevelInterpreter64.asm:253
frame #28: 0x00000001080e7f77 JavaScriptCore`JSC::JITCode::execute(this=0x0000000104d979b0, vm=0x0000000104ff1000, protoCallFrame=0x00007fff5b256d18) + 215 at JITCode.cpp:80
frame #29: 0x00000001080754ce JavaScriptCore`JSC::Interpreter::execute(this=0x0000000104df20b0, program=0x000000010579ff70, callFrame=0x00000001057e3940, thisObj=0x00000001057aba40) + 4270 at Interpreter.cpp:961
frame #30: 0x0000000107a04d2d JavaScriptCore`JSC::evaluate(exec=0x00000001057e3940, source=0x00007fff5b258298, thisValue=JSValue @ 0x00007fff5b2581a0, returnedException=0x00007fff5b2582b8) + 477 at Completion.cpp:107
frame #31: 0x00000001049b2b31 jsc`runWithScripts(globalObject=0x00000001057e3900, scripts={ size = 1, capacity = 0 }, uncaughtExceptionName={ length = 0, contents = '' }, dump=false, module=false) + 1329 at jsc.cpp:2101
frame #32: 0x00000001049aa6ee jsc`runJSC(vm=0x0000000104ff1000, options=CommandLine @ 0x00007fff5b258828) + 1326 at jsc.cpp:2348
frame #33: 0x00000001049a94ba jsc`jscmain(argc=2, argv=0x00007fff5b258938) + 138 at jsc.cpp:2401
frame #34: 0x00000001049a9326 jsc`main(argc=2, argv=0x00007fff5b258938) + 166 at jsc.cpp:1983
frame #35: 0x00007fffdd7d4255 libdyld.dylib`start + 1
frame #36: 0x00007fffdd7d4255 libdyld.dylib`start + 1</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>