Bug 253413

Pull request: https://github.com/WebKit/WebKit/pull/11086

Committed 262068@main (f2f3c91fa89c): <https://commits.webkit.org/262068@main> Reviewed commits have been landed. Closing PR #11086 and removing active labels.

WinCairo is crashing. https://build.webkit.org/#/builders/728/builds/433 This crash is reproducible with WinCairo Debug MiniBrowser just by loading https://www.apple.com/ . I'm obsering two crash backtraces. Backtrace 1: > ASSERTION FAILED: callFrame > C:\home\webkit\gc\Source\JavaScriptCore\interpreter\FrameTracers.h(120) : JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer > The thread 0x7b88 has exited with code 0 (0x0). > 1 00007FFA6436249B WTFCrash > 2 00007FFA579AEEFE WTFCrashWithInfo > 3 00007FFA5834BAB1 JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer > 4 00007FFA58286BFF operationEnumeratorNextUpdateIndexAndMode > 5 000001E34236CC61 (null) > Exception thrown at 0x00007FFA643624A0 (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF. Backtrace 2: > Exception thrown: read access violation. > **vm** was 0xFFFFFFFFFFFF62A7. > JavaScriptCore.dll!operationEnumeratorNextUpdateIndexAndMode(JSC::JSGlobalObject * globalObject, __int64 baseValue, unsigned int index, int modeNumber, JSC::JSPropertyNameEnumerator * enumerator) Line 2359 C++ > 000002ab0008dac5() Unknown > 000002ab6e659ef8() Unknown > 000002ab70b38540() Unknown This crash can be worked around by setting a env var. > $env:JSC_useDFGJIT = 0 I can't fix this bug quickly. I'm going to revert 262068@main. I will take a look more the next week.

Re-opened since this is blocked by bug 254467

Relanded by 262135@main.