On 29/01/2026 10:47, Thomas Klausner wrote:
> Hi again,
>
> a build with the patch applied and -DENABLE_JIT=OFF works fine for a
> couple web pages, so this looks like progress.
>
> But the fifth page I visited (https://derstandard.at) made it fail.
>
> ** (MiniBrowser:9506): WARNING **: 09:24:55.795: WebProcess CRASHED
> Detected offset inconsistency: numberOfSlotsForMaxOffset doesn't match
> totalSize!
> this = 0x6fff301d1750
> transitionOffset = 0
> maxOffset = 0
> m_inlineCapacity = 6
> propertyTable = 0x6fff46ed8130
> numberOfSlotsForMaxOffset = 1
> totalSize = 0
> inlineOverflowAccordingToTotalSize = 0
> numberOfOutOfLineSlotsForMaxOffset = 0
> Detected in materializePropertyTable.
> Found structure = 0x6fff301d1750
> structures = 0x6fff301d1750, 0x6fff30094aa0
>
> ** (MiniBrowser:9506): WARNING **: 09:25:37.057: WebProcess CRASHED
>
> with this backtrace:
>
> (gdb) bt
> #0 0x00006fff4d8acf8a in _lwp_kill () from /usr/lib/libc.so.12
> #1 0x00006fff4d8b7f74 in abort () at /usr/src/lib/libc/stdlib/abort.c:74
> #2 0x00006fff50578e49 in ?? () from
> /usr/pkg/lib/libjavascriptcoregtk-4.1.so.0
Please pass "-g1" to the build so we can see the name of the function
instead of ?? in the backtrace.
Also don't set "-DENABLE_C_LOOP=OFF" in the build.
The crash in this case looks like a assert that you are hitting.
Check in file Source/JavaScriptCore/runtime/StructureInlines.h where it
says "fail("numberOfSlotsForMaxOffset doesn't match totalSize");"
That is what is causing the crash. You can comment that out and then it
won't crash, but clearly something is wrong there so you likely will end
crashing with a segfaull later. But worth trying in any case.
