| Summary: | Trace trap in JIT-compiled code | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Samuel Groß <saelo> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, d_degazio, mark.lam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Pull request: https://github.com/WebKit/WebKit/pull/5973 Committed 256197@main (5faa0d3ac693): <https://commits.webkit.org/256197@main> Reviewed commits have been landed. Closing PR #5973 and removing active labels. |
The following sample triggers a SIGTRAP in JSC built from latest HEAD in debug configuration: function main() { let v0 = -256; do { function v2(v3,v4,v5) { const v6 = eval; const v8 = 16 / v5; function v9(v10,v11) { try { const v12 = v9(); } catch(v13) { const v14 = []; const v15 = []; const v16 = v15.__proto__; const v17 = v14.values; const v19 = {"set":v17}; const v21 = Object.defineProperty(v16,1,v19); function v22(v23,v24) { const v25 = []; let {"__proto__":v26,"constructor":v27,"length":v28,} = v25; const v29 = v26 || v22; const v30 = v27(); const v31 = v30.push(v25); const v32 = v30.push(v29); } const v33 = v22(); } finally { } } const v34 = v9(); let v35 = [v8]; const v36 = --v35; const v37 = v0++; } const v38 = "bigint"; const v39 = v2(); } while (v0 !== 8); gc(); } main(); // CRASH INFO // ========== // TERMSIG: 5 // STDERR: // STDOUT: // ARGS: ./jsc/jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 The crash happens in JIT-compiled code, so this may be a sign of a condition that was not expected to happen by the compiler. As this may have security implications, I'm filing this as a security issue.