<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Crash in com.apple.JavaScriptCore: JSC::JSObject::visitButterfly + 302"
href="https://bugs.webkit.org/show_bug.cgi?id=164840">164840</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Crash in com.apple.JavaScriptCore: JSC::JSObject::visitButterfly + 302
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>Other
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>ryanhaddad@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Crash in com.apple.JavaScriptCore: JSC::JSObject::visitButterfly + 302
Seen with LayoutTest sputnik/Unicode/Unicode_510/S7.6_A3.2.html
<a href="https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK2%20(Tests)/r208806%20(16264)/results.html">https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK2%20(Tests)/r208806%20(16264)/results.html</a>
Process: com.apple.WebKit.WebContent.Development [61271]
Path: /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development
Identifier: com.apple.WebKit.WebContent
Version: 603+ (603.1.12+)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: com.apple.WebKit.WebContent.Development [61271]
User ID: 501
Date/Time: 2016-11-16 14:49:45.400 -0800
OS Version: Mac OS X 10.10.5 (14F1909)
Report Version: 11
Anonymous UUID: C9EC8ADD-8E2F-2A5C-D1B0-4BDF54F896B6
Time Awake Since Boot: 3600000 seconds
Crashed Thread: 14 WTF::AutomaticThread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef
VM Regions Near 0xbbadbeef:
-->
__TEXT 00000001053ef000-00000001053f4000 [ 20K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development
Application Specific Information:
CRASHING TEST: sputnik/Unicode/Unicode_510/S7.6_A3.2.html
Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff86f8d136 __psynch_cvwait + 10
1 com.apple.JavaScriptCore 0x0000000109faefc0 WTF::ThreadCondition::wait(WTF::Mutex&) + 48
2 com.apple.JavaScriptCore 0x0000000109faf068 WTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 104
3 com.apple.JavaScriptCore 0x0000000109f766c2 WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) + 418
4 com.apple.JavaScriptCore 0x0000000109732ef0 WTF::ParkingLot::ParkResult WTF::ParkingLot::parkConditionally<WTF::ParkingLot::ParkResult WTF::ParkingLot::compareAndPark<unsigned int, unsigned int>(WTF::Atomic<unsigned int> const*, unsigned int)::'lambda'(), WTF::ParkingLot::ParkResult WTF::ParkingLot::compareAndPark<unsigned int, unsigned int>(WTF::Atomic<unsigned int> const*, unsigned int)::'lambda0'()>(void const*, unsigned int const&, unsigned int const&, WTF::TimeWithDynamicClockType const&) + 96
5 com.apple.JavaScriptCore 0x00000001097203cd WTF::ParkingLot::ParkResult WTF::ParkingLot::compareAndPark<unsigned int, unsigned int>(WTF::Atomic<unsigned int> const*, unsigned int) + 77
6 com.apple.JavaScriptCore 0x000000010971b093 JSC::Heap::stopIfNecessarySlow(unsigned int) + 291
7 com.apple.JavaScriptCore 0x000000010971af46 JSC::Heap::stopIfNecessarySlow() + 54
8 com.apple.JavaScriptCore 0x00000001097208ce JSC::Heap::stopIfNecessary() + 62
9 com.apple.JavaScriptCore 0x00000001097155fb JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*) + 155
10 com.apple.JavaScriptCore 0x000000010971c5ef JSC::Heap::decrementDeferralDepthAndGCIfNeeded() + 79
11 com.apple.JavaScriptCore 0x0000000108e99188 JSC::DeferGC::~DeferGC() + 24
12 com.apple.JavaScriptCore 0x0000000108e969e5 JSC::DeferGC::~DeferGC() + 21
13 com.apple.JavaScriptCore 0x0000000108eacbdf bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) + 1759
14 com.apple.JavaScriptCore 0x0000000108ea8b4d JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) + 269
15 com.apple.JavaScriptCore 0x000000010991b379 JSC::JSFunction::createBuiltinFunction(JSC::VM&, JSC::FunctionExecutable*, JSC::JSGlobalObject*) + 169
16 com.apple.JavaScriptCore 0x00000001099cdad0 JSC::JSObject::putDirectBuiltinFunction(JSC::VM&, JSC::JSGlobalObject*, JSC::PropertyName const&, JSC::FunctionExecutable*, unsigned int) + 176
17 com.apple.JavaScriptCore 0x00000001099d2d37 JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) + 247
18 com.apple.JavaScriptCore 0x0000000109aba634 JSC::setUpStaticFunctionSlot(JSC::VM&, JSC::HashTableValue const*, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&) + 292
19 com.apple.JavaScriptCore 0x00000001099d26a8 JSC::getStaticPropertySlotFromTable(JSC::VM&, JSC::HashTable const&, JSC::JSObject*, JSC::PropertyName, JSC::PropertySlot&) + 168
20 com.apple.JavaScriptCore 0x00000001099c9448 JSC::JSObject::getOwnStaticPropertySlot(JSC::VM&, JSC::PropertyName, JSC::PropertySlot&) + 120
21 com.apple.JavaScriptCore 0x0000000108e94eb5 JSC::JSObject::getOwnNonIndexPropertySlot(JSC::VM&, JSC::Structure*, JSC::PropertyName, JSC::PropertySlot&) + 165
22 com.apple.JavaScriptCore 0x0000000108e9440a JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 90
23 com.apple.JavaScriptCore 0x0000000109d1bf60 JSC::StringObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 128
24 com.apple.JavaScriptCore 0x0000000108eb3b75 JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 533
25 com.apple.JavaScriptCore 0x0000000108eb3786 JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 294
26 com.apple.JavaScriptCore 0x0000000108eb736a JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 266
27 com.apple.JavaScriptCore 0x0000000108eaba35 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 53
28 com.apple.JavaScriptCore 0x0000000109aacf0a llint_slow_path_get_by_id + 346
29 com.apple.JavaScriptCore 0x0000000109abdf50 llint_entry + 12444
30 com.apple.JavaScriptCore 0x0000000109ac23d5 llint_entry + 29985
31 com.apple.JavaScriptCore 0x0000000109ac23d5 llint_entry + 29985
32 com.apple.JavaScriptCore 0x0000000109abac9e vmEntryToJavaScript + 334
33 com.apple.JavaScriptCore 0x000000010988a81c JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 332
34 com.apple.JavaScriptCore 0x00000001098052ce JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4878
35 com.apple.JavaScriptCore 0x00000001090d55d5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 677
36 com.apple.JavaScriptCore 0x00000001090d572e JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 94
37 com.apple.WebCore 0x000000010e97c9eb WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 75
38 com.apple.WebCore 0x000000010e976378 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 312
39 com.apple.WebCore 0x000000010e97649d WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 61
40 com.apple.WebCore 0x000000010e98b40a WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 730
41 com.apple.WebCore 0x000000010e989cb8 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 2376
42 com.apple.WebCore 0x000000010d28245c WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 364
43 com.apple.WebCore 0x000000010d28226a WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 138
44 com.apple.WebCore 0x000000010d1a33a2 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 1362
45 com.apple.WebCore 0x000000010d1a3526 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 214
46 com.apple.WebCore 0x000000010d1a268d WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 445
47 com.apple.WebCore 0x000000010d1a2daf WebCore::HTMLDocumentParser::resumeParsingAfterYield() + 47
48 com.apple.WebCore 0x000000010d26b048 WebCore::HTMLParserScheduler::continueNextChunkTimerFired() + 152
49 com.apple.WebCore 0x000000010d26c928 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) + 248
50 com.apple.WebCore 0x000000010d26c7fc std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() + 44
51 com.apple.WebCore 0x000000010c56fe8a std::__1::function<void ()>::operator()() const + 26
52 com.apple.WebCore 0x000000010c56fd9c WebCore::Timer::fired() + 28
53 com.apple.WebCore 0x000000010ee5e9ea WebCore::ThreadTimers::sharedTimerFiredInternal() + 394
54 com.apple.WebCore 0x000000010ee5fc31 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const + 33
55 com.apple.WebCore 0x000000010ee5fbfd void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) + 45
56 com.apple.WebCore 0x000000010ee5fb9c std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() + 44
57 com.apple.WebCore 0x000000010c56fe8a std::__1::function<void ()>::operator()() const + 26
58 com.apple.WebCore 0x000000010e134f4f WebCore::MainThreadSharedTimer::fired() + 111
59 com.apple.WebCore 0x000000010e135359 WebCore::timerFired(__CFRunLoopTimer*, void*) + 41
60 com.apple.CoreFoundation 0x00007fff8d0532e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
61 com.apple.CoreFoundation 0x00007fff8d052f73 __CFRunLoopDoTimer + 1059
62 com.apple.CoreFoundation 0x00007fff8d0c653d __CFRunLoopDoTimers + 301
63 com.apple.CoreFoundation 0x00007fff8d00e608 __CFRunLoopRun + 2024
64 com.apple.CoreFoundation 0x00007fff8d00dbd8 CFRunLoopRunSpecific + 296
65 com.apple.HIToolbox 0x00007fff8bd5356f RunCurrentEventLoopInMode + 235
66 com.apple.HIToolbox 0x00007fff8bd532ea ReceiveNextEventCommon + 431
67 com.apple.HIToolbox 0x00007fff8bd5312b _BlockUntilNextEventMatchingListInModeWithFilter + 71
68 com.apple.AppKit 0x00007fff8570d8ab _DPSNextEvent + 978
69 com.apple.AppKit 0x00007fff8570ce58 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
70 com.apple.AppKit 0x00007fff85702af3 -[NSApplication run] + 594
71 com.apple.AppKit 0x00007fff8567f244 NSApplicationMain + 1832
72 libxpc.dylib 0x00007fff8c158928 _xpc_objc_main + 793
73 libxpc.dylib 0x00007fff8c15a030 xpc_main + 490
74 com.apple.WebKit.WebContent 0x00000001053f0710 main + 800
75 libdyld.dylib 0x00007fff848fc5c9 start + 1</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>