The weirdest thing about this is the fact that the bug occurs after a page reload. Does safari cache jit code and the javascript heap/objects between pageloads?
When JavaScript is parsed by jsc, it’s compiled to a cachable bytecode, this includes gc allocated constants for constant expressions - numbers, strings, and the underlying storage for some complex types like arrays and regexps.
The cachable code is kept in a big function source->bytecode hash table.
The cacheable bytecode is then “linked” to a bytecode that is optimized for execution speed. That bytecode has things like create_array, etc that can take the immutable backing store object we generated earlier.
This means that if you have multiple functions with identical source code you only have to do the expensive parse+compile step once, and you end up with multiple independent functions using the same constant/immutable backing stores. This saves memory and helps performance.
Unfortunately it adds complexity - now the mutable is objects have “immutable” backing stores, so you have to implement copy-on-write semantics in order to not share state between different instances of the linked code. In this case it appears that a required CoW check was missing :(
It has a bfcache which attempts to restore page state when going backwards/forwards. My guess would be there's something wrong with the cache behaviour, leading it to restore the old heap and re-execute the JS.
