Bug 141194

Summary: Crash in JIT code
Product: WebKit Reporter: Han Choongwoo <cwhan.tunz>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Major CC: ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Han Choongwoo 2015-02-03 00:54:48 PST 
-----------------
(function() {
var a;
(function() {
for(var i = 0; i < 10000; i++);
a
})();
})();
----------------

this code crahses.

I cannot find the reason.

Program received signal SIGSEGV, Segmentation fault.
0x00007fffb2a23bb0 in ?? ()
(gdb) bt
#0  0x00007fffb2a23bb0 in ?? ()
#1  0x000000000000000a in ?? ()
#2  0x000000000000000a in ?? ()
#3  0x000000000000000a in ?? ()
#4  0x000000000000000a in ?? ()
#5  0x000000000000000a in ?? ()
#6  0x00007fffb01cff80 in ?? ()
#7  0x00007fffffffd610 in ?? ()
#8  0x00007ffff7c09fe8 in llint_entry ()
   from /development/tunz/javascript/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
Backtrace stopped: frame did not save the PC
(gdb) x/i $pc
=> 0x7fffb2a23bb0:      mov    0x20(%rax),%rax
(gdb) i r rax
rax            0xa      10

found with afl-fuzz
Comment 1 Alexey Proskuryakov 2015-02-03 12:40:01 PST 
This test doesn't cause a crash on Mac for me.
Comment 2 Han Choongwoo 2015-02-03 17:13:02 PST 
It seems so..
I've tested it on Ubuntu 14.04.1, x86_64, gtk port.