Bug 141194
| Summary: | Crash in JIT code | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Han Choongwoo <cwhan.tunz> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Major | CC: | ggaren |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Han Choongwoo
-----------------
(function() {
var a;
(function() {
for(var i = 0; i < 10000; i++);
a
})();
})();
----------------
this code crahses.
I cannot find the reason.
Program received signal SIGSEGV, Segmentation fault.
0x00007fffb2a23bb0 in ?? ()
(gdb) bt
#0 0x00007fffb2a23bb0 in ?? ()
#1 0x000000000000000a in ?? ()
#2 0x000000000000000a in ?? ()
#3 0x000000000000000a in ?? ()
#4 0x000000000000000a in ?? ()
#5 0x000000000000000a in ?? ()
#6 0x00007fffb01cff80 in ?? ()
#7 0x00007fffffffd610 in ?? ()
#8 0x00007ffff7c09fe8 in llint_entry ()
from /development/tunz/javascript/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
Backtrace stopped: frame did not save the PC
(gdb) x/i $pc
=> 0x7fffb2a23bb0: mov 0x20(%rax),%rax
(gdb) i r rax
rax 0xa 10
found with afl-fuzz
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
This test doesn't cause a crash on Mac for me.
Han Choongwoo
It seems so..
I've tested it on Ubuntu 14.04.1, x86_64, gtk port.