Bug 275014
| Summary: | SIGTRAP in JIT'ed code | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Gary Kwong [:gkw] [:nth10sd] <nth10sd> |
| Component: | JavaScriptCore | Assignee: | Keith Miller <keith_miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, keith_miller, mark.lam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
Gary Kwong [:gkw] [:nth10sd]
```
new (function () {
/x/.constructor.input = /x/.constructor;
this.constructor();
});
```
This testcase hits a SIGTRAP on debug builds on rev https://github.com/WebKit/WebKit/commit/427a310bda2e, run with: --useConcurrentJIT=false --useDFGJIT=true --useFTLJIT=false. The SIGTRAP goes away when --useDFGJIT=false.
The regressor seems to be: https://github.com/WebKit/WebKit/commit/10748e5975cd
```
10748e5975cd1f538bd71b5e68bcf61ad142fc18 is the first bad commit
commit 10748e5975cd1f538bd71b5e68bcf61ad142fc18
Author: Keith Miller
Date: Tue May 7 13:08:55 2024 -0700
JIT operations should return the current exception in a return GPR when it's free.
https://bugs.webkit.org/show_bug.cgi?id=273264
rdar://127065985
Reviewed by Yusuke Suzuki.
```
Setting s-s to be safe, as JIT'ed code may sometimes be problematic. Please feel free to open this up as needed.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/129096982>
Gary Kwong [:gkw] [:nth10sd]
If it helps, I also found this on Ubuntu Linux 22.04.
Keith Miller
Hi, thanks for the report! I don't think this needs to be in security since it hasn't shipped yet. I think the fix is easy.
Keith Miller
Pull request: https://github.com/WebKit/WebKit/pull/29427
EWS
Committed 279625@main (e44e4c11207c): <https://commits.webkit.org/279625@main>
Reviewed commits have been landed. Closing PR #29427 and removing active labels.