Bug 291356
| Summary: | Negative zero in fiatInt52 makes JavaScriptCore crash. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | keith_miller, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug in JavaScriptCore.
poc.js
```
for (let v0 = 0; v0 < 100; v0++) {
fiatInt52(-0);
for (let v4 = 0; v4 < 100; v4++) {}
}
```
Reproduce steps:
1. Compiler JSC in Debug mode or Release mode;
(commit id: 25d80dcb4ad37d0780f9a88f05c01de0a1935c04)
2. Run: ./jsc poc.js --useConcurrentJIT=0
Result:
Trace/breakpoint trap (core dumped)
JavaScriptCore crashed in the JITTed code.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/149464800>
Yusuke Suzuki
Looks like it is fixed via bug 292197. Thanks!
Yusuke Suzuki
*** This bug has been marked as a duplicate of bug 292197 ***