Bug 305721
| Summary: | Crashing in thought-to-be-unreachable FTL-generated code | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | katoshi1337 |
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
katoshi1337
Poc.js:
let v1 = 2.0;
for (let v2 = 0; v2 < 100; v2++) {
let v3 = -1061384422;
function f4(a5, a6, a7) {
if (!(a5 == -4294967297)) {
}
a5 * a6;
Math.abs(Math);
v3++;
return v1;
}
for (let v13 = 0; v13 < 100; v13++) {
f4(v13, v1);
}
}
v1++;
gc();
./jsc --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAft
erWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 ./poc.js
Crashing in thought-to-be-unreachable FTL-generated code for <global>#BI1NYd:[0x7fffe94a07b0->0x7fffe94a0150->0x7fffeb02d988, FTLGlobal, 195 (DidTryToEnterInLoop)] at basic block #5, node @0.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/168397840>
Yusuke Suzuki
This is a deterministic crash via FTL unreachable. So not security issue.
Yusuke Suzuki
Pull request: https://github.com/WebKit/WebKit/pull/57066
EWS
Committed 306060@main (dc60e5a7e380): <https://commits.webkit.org/306060@main>
Reviewed commits have been landed. Closing PR #57066 and removing active labels.