Bug 306865

Summary:

IPINT_LOCAL_SET crash

Product:

WebKit

Reporter:

bigsean123

Component:

WebAssembly

Assignee:

WebKit Security Group <webkit-security-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Major

CC:

bfulgham, bigsean123, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
With gc before and after	none
without any gc() calls	none

bigsean123

Reported 2026-02-03 06:28:47 PST

calling upon gc or fullGC seems to control the rax register as in assembly addq is used for 10 bytes from the %rsp register, if gc is called i notice register values change. With fullGC() : " Process 2086691 launched: '/home/turnerhackz1/Desktop/WebKit/WebKitBuild/Fuzzil li/Release/bin/jsc' (x86_64) Process 2086691 stopped * thread #1, name = 'jsc', stop reason = signal SIGUSR1 frame #0: 0x0000555555c6a416 jsc`ipint_local_set + 22 jsc`ipint_local_set: -> 0x555555c6a416 <+22>: addq $0x10, %rsp 0x555555c6a41a <+26>: shlq $0x4, %rax 0x555555c6a41e <+30>: movups %xmm0, (%r10,%rax) 0x555555c6a423 <+35>: movzbl (%r13), %eax Target 0: (jsc) stopped. (lldb) reg read General Purpose Registers: rax = 0x000000000000001e rbx = 0x00007fffeb03dc88 rcx = 0x0000000000000000 rdx = 0x00007fffffb1d850 rdi = 0x000055555847c814 jsc`__start___sancov_guards + 3225012 rsi = 0x0000555555c68300 jsc`ipint_unreachable rbp = 0x00007fffffb1db00 rsp = 0x00007fffffb1d850 r8 = 0x00007fffeb11c130 r9 = 0x00007fffeb11c150 r10 = 0x00007fffffb1d860 r11 = 0x0000000000000246 r12 = 0x00007fffeb26c0f6 r13 = 0x00007fffeb00db25 r14 = 0x00007fe04d000000 r15 = 0x0000000100800000 rip = 0x0000555555c6a416 jsc`ipint_local_set + 22 rflags = 0x0000000000000a83 cs = 0x0000000000000033 fs = 0x0000000000000000 gs = 0x0000000000000000 ss = 0x000000000000002b fs_base = 0x00007ffff7f7a740 gs_base = 0x0000000000000000 ds = 0x0000000000000000 es = 0x0000000000000000 " Without any gc :" (lldb) r There is a running process, kill it and restart?: [Y/n] y Process 2086691 exited with status = 9 (0x00000009) killed Process 2088031 launched: '/home/turnerhackz1/Desktop/WebKit/WebKitBuild/Fuzzil li/Release/bin/jsc' (x86_64) Process 2088031 stopped * thread #1, name = 'jsc', stop reason = signal SIGUSR1 frame #0: 0x0000555555c6a416 jsc`ipint_local_set + 22 jsc`ipint_local_set: -> 0x555555c6a416 <+22>: addq $0x10, %rsp 0x555555c6a41a <+26>: shlq $0x4, %rax 0x555555c6a41e <+30>: movups %xmm0, (%r10,%rax) 0x555555c6a423 <+35>: movzbl (%r13), %eax Target 0: (jsc) stopped. (lldb) reg read General Purpose Registers: rax = 0x000000000000001d rbx = 0x00007fffeb03dc88 rcx = 0x0000000000000000 rdx = 0x00007fffffb1d850 rdi = 0x000055555847c814 jsc`__start___sancov_guards + 3225012 rsi = 0x0000555555c68300 jsc`ipint_unreachable rbp = 0x00007fffffb1db00 rsp = 0x00007fffffb1d850 r8 = 0x00007fffeb124130 r9 = 0x00007fffeb124150 r10 = 0x00007fffffb1d860 r11 = 0x0000000000000202 r12 = 0x00007fffeb2600f5 r13 = 0x00007fffeb00db21 r14 = 0x00007fe005000000 r15 = 0x0000000100800000 rip = 0x0000555555c6a416 jsc`ipint_local_set + 22 rflags = 0x0000000000000a83 cs = 0x0000000000000033 fs = 0x0000000000000000 gs = 0x0000000000000000 ss = 0x000000000000002b fs_base = 0x00007ffff7f7a740 gs_base = 0x0000000000000000 ds = 0x0000000000000000 es = 0x0000000000000000 (lldb) " With gc() call before Webassembly.instance and a fullGC() call after triggers a completely different crash elsewhere:" (lldb) r There is a running process, kill it and restart?: [Y/n] Process 2088031 exited with status = 9 (0x00000009) killed Process 2088629 launched: '/home/turnerhackz1/Desktop/WebKit/WebKitBuild/Fuzzil li/Release/bin/jsc' (x86_64) Process 2088629 stopped * thread #1, name = 'jsc', stop reason = signal SIGUSR1 frame #0: 0x00007ffff529b06f libc.so.6`futex_wake(private=<unavailable>, pr ocesses_to_wake=1, futex_word=0x00007fffeb17015c) at futex-internal.h:209:13 Target 0: (jsc) stopped. (lldb) reg read General Purpose Registers: rax = 0x0000000000000001 rbx = 0x0000000000000081 rcx = 0x00007ffff529b06f libc.so.6`___pthread_cond_signal + 175 at fute x-internal.h:209:13 rdx = 0x0000000000000001 rdi = 0x00007fffeb17015c rsi = 0x0000000000000081 rbp = 0x00007fffffb1d5b0 rsp = 0x00007fffffb1d560 r8 = 0x00007fffeb170130 r9 = 0x00007fffeb170150 r10 = 0x0000000000000000 r11 = 0x0000000000000246 r12 = 0x0000000000000005 r13 = 0x0000000000000001 r14 = 0x0000000000000004 r15 = 0x00007fffeb170134 rip = 0x00007ffff529b06f libc.so.6`___pthread_cond_signal + 175 at fute x-internal.h:209:13 rflags = 0x0000000000000246 cs = 0x0000000000000033 fs = 0x0000000000000000 gs = 0x0000000000000000 ss = 0x000000000000002b fs_base = 0x00007ffff7f7a740 gs_base = 0x0000000000000000 ds = 0x0000000000000000 es = 0x0000000000000000 (lldb) "

Attachments
With gc before and after (8.14 KB, application/x-javascript) 2026-02-03 06:29 PST, bigsean123	no flags	Details
without any gc() calls (8.12 KB, application/x-javascript) 2026-02-03 06:29 PST, bigsean123	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-02-03 06:28:53 PST

<rdar://problem/169530003>

bigsean123

Comment 2 2026-02-03 06:29:18 PST

Created attachment 478231 [details] With gc before and after

bigsean123

Comment 3 2026-02-03 06:29:52 PST

Created attachment 478232 [details] without any gc() calls

bigsean123

Comment 4 2026-02-03 06:34:39 PST

Also btw this is in the latest Release Build

bigsean123

Comment 5 2026-02-03 06:55:48 PST

Can confirm this bug only triggers because of JIT, if executing with useJIT=false it hangs otherwise it doesn't Terminal output :" turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop$ /home/turnerhackz1/Desktop /WebKit/WebKitBuild/Fuzzilli/Release/bin/jsc --dumpGraphAtEachPhase=true --useJIT=false /home/turnerhackz1/Desktop/greatestfuzz/crashes/program_20260203072845_8136A673-8B14-450F-95B2-7B65E406C03D_deterministic.js ^C turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop$ /home/turnerhackz1/Desktop /WebKit/WebKitBuild/Fuzzilli/Release/bin/jsc --dumpGraphAtEachPhase=true --useDFGJIT=true /home/turnerhackz1/Desktop/greatestfuzz/crashes/program_20260203072845_8136A673-8B14-450F-95B2-7B65E406C03D_deterministic.js DFG(Plan) compiling F2#C6Mj4T:[0x7dcf064a02c0->0x7dcf06475800, LLIntFunctionCon struct, 233] with Baseline, instructions size = 233 DFG(Driver) compiling F2#C6Mj4T:[0x7dcf064a03a0->0x7dcf064a02c0->0x7dcf06475800 , NoneFunctionConstruct, 233] with DFG, instructions size = 233 Deferring DFG compilation of F2#C6Mj4T:[0x7dcf064a03a0->0x7dcf064a02c0->0x7dcf0 6475800, NoneFunctionConstruct, 233] with queue length 0. DFG(Plan) compiling F2#C6Mj4T:[0x7dcf064a03a0->0x7dcf064a02c0->0x7dcf06475800, NoneFunctionConstruct, 233] with DFG, instructions size = 233 Compiler must handle OSR entry from bc#0 with values: arg2:Object: 0x7dcf064bec 80 with butterfly (nil)(base=0xfffffffffffffff8) (Structure 0x7dcd01007040:[0x1 007040/16805952, Object, (0/6, 0/0){}, NonArray, Unknown, Proto:0x7dcf0647c180, Leaf]), StructureID: 16805952 arg1:Object: 0x7dcf06462820 with butterfly 0x7dc f06456fa8(base=0x7dcf06456f80) (Structure 0x7dcd01006f60:[0x1006f60/16805728, F unction, (0/0, 1/4){prototype:64}, NonArray, PropertyAddition, Proto:0x7dcf0801 45c8, Leaf]), StructureID: 16805728 arg0:Object: 0x7dcf06462820 with butterfly 0x7dcf06456fa8(base=0x7dcf06456f80) (Structure 0x7dcd01006f60:[0x1006f60/168057 28, Function, (0/0, 1/4){prototype:64}, NonArray, PropertyAddition, Proto:0x7dc f080145c8, Leaf]), StructureID: 16805728 : Beginning DFG phase backwards propagation. : Before backwards propagation: : DFG for F2#C6Mj4T:[0x7dcf064a03a0->0x7dcf064a02c0->0x7dcf06475800, D FGFunctionConstruct, 233]: : Fixpoint state: BeforeFixpoint; Form: LoadStore; Unification state : LocallyUnified; Ref count state: EverythingIsLive : Arguments for block#0: D@0, D@1, D@2 0 : Block #0 (bc#0): (skipped) (OSR target) 0 : Execution count: 1.000000 0 : Predecessors: 0 : Successors: #2 #1 0 : States: StructuresAreWatched, CurrentlyCFAUnreachable 0 : Vars Before: <empty> 0 : Intersected Vars Before: arg2:(FullTop, TOP, TOP, none:StructuresA reClobbered) arg1:(FullTop, TOP, TOP, none:StructuresAreClobbered) arg0:(FullTo p, TOP, TOP, none:StructuresAreClobbered) loc0:(FullTop, TOP, TOP, none:Structu resAreClobbered) loc1:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc2:(Fu llTop, TOP, TOP, none:StructuresAreClobbered) loc3:(FullTop, TOP, TOP, none:Str ucturesAreClobbered) loc4:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc5 :(FullTop, TOP, TOP, none:StructuresAreClobbered) loc6:(FullTop, TOP, TOP, none :StructuresAreClobbered) loc7:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc8:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc9:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc10:(FullTop, TOP, TOP, none:StructuresAreClobbe red) loc11:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc12:(FullTop, TOP , TOP, none:StructuresAreClobbered) loc13:(FullTop, TOP, TOP, none:StructuresAr eClobbered) loc14:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc15:(FullT op, TOP, TOP, none:StructuresAreClobbered) loc16:(FullTop, TOP, TOP, none:Struc turesAreClobbered) loc17:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc18 :(FullTop, TOP, TOP, none:StructuresAreClobbered) loc19:(FullTop, TOP, TOP, non e:StructuresAreClobbered) loc20:(FullTop, TOP, TOP, none:StructuresAreClobbered ) loc21:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc22:(FullTop, TOP, T OP, none:StructuresAreClobbered) loc23:(FullTop, TOP, TOP, none:StructuresAreCl obbered) loc24:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc25:(FullTop, TOP, TOP, none:StructuresAreClobbered) loc26:(FullTop, TOP, TOP, none:Structur esAreClobbered) loc27:(FullTop, TOP, TOP, none:StructuresAreClobbered) 0 : Var Links: 0 0 : D@0:< 1:-> SetArgumentDefinitely(this(A~/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting None 1 0 : D@1:< 1:-> SetArgumentDefinitely(arg1(B~/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting None 2 0 : D@2:< 1:-> SetArgumentDefinitely(arg2(C~/FlushedJSValue), W:SideState, bc#0, ExitValid) predicting None 3 0 : D@3:< 1:-> JSConstant(JS|PureInt, Undefined, bc#0, ExitVal id) 4 0 : D@4:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc0, W:Sid eState, ClobbersExit, bc#0, ExitValid) 5 0 : D@5:< 1:-> SetLocal(Check:Untyped:D@3, loc0(D~/FlushedJSVa lue), W:Stack(loc0), bc#0, ExitInvalid) predicting None 6 0 : D@6:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc1, W:Sid eState, ClobbersExit, bc#0, ExitInvalid) 7 0 : D@7:< 1:-> SetLocal(Check:Untyped:D@3, loc1(E~/FlushedJSVa lue), W:Stack(loc1), bc#0, ExitInvalid) predicting None 8 0 : D@8:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc2, W:Sid eState, ClobbersExit, bc#0, ExitInvalid) 9 0 : D@9:< 1:-> SetLocal(Check:Untyped:D@3, loc2(F~/FlushedJSVa lue), W:Stack(loc2), bc#0, ExitInvalid) predicting None 10 0 : D@10:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc3, W:Sid eState, ClobbersExit, bc#0, ExitInvalid) 11 0 : D@11:< 1:-> SetLocal(Check:Untyped:D@3, loc3(G~/FlushedJSVa lue), W:Stack(loc3), bc#0, ExitInvalid) predicting None 12 0 : D@12:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc4, W:Sid eState, ClobbersExit, bc#0, ExitInvalid) 13 0 : D@13:< 1:-> SetLocal(Check:Untyped:D@3, loc4(H~/FlushedJSVa lue), W:Stack(loc4), bc#0, ExitInvalid) predicting None 14 0 : D@14:<!0:-> MovHint(Check:Untyped:D@3, MustGen, loc5, W:Sid eState, ClobbersExit, bc#0, ExitInvalid) 15 0 : D@15:< 1:-> SetLocal(Check:Untyped:D@3, loc5(I~/FlushedJSVa lue), W:Stack(loc5), bc#0, ExitInvalid) predicting None 16 0 : D@16:< 1:-> JSConstant(JS|PureInt, Weak:Object: 0x7dcf06462 820 with butterfly 0x7dcf06456fa8(base=0x7dcf06456f80) (Structure %C5:Function) , StructureID: 16805728, bc#0, ExitInvalid) 17 0 : D@17:< 1:-> JSConstant(JS|PureInt, Weak:Object: 0x7dcf08048 318 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %C0:JSGlobalLexica lEnvironment), StructureID: 16782848, bc#0, ExitInvalid) 18 0 : D@18:<!0:-> MovHint(Check:Untyped:D@17, MustGen, loc4, W:Si deState, ClobbersExit, bc#0, ExitInvalid) 19 0 : D@19:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 20 0 : D@20:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#0, ExitValid) 21 0 : D@21:< 1:-> SetLocal(Check:Untyped:D@17, loc4(J~/FlushedJSV alue), W:Stack(loc4), bc#0, exit: bc#1, ExitValid) predicting None 22 0 : D@22:<!0:-> GetLocal(JS|MustGen|PureInt, this(A~/FlushedJSV alue), R:Stack(this), bc#1, ExitValid) predicting None 23 0 : D@23:<!0:-> MovHint(Check:Untyped:D@22, MustGen, loc5, W:Si deState, ClobbersExit, bc#1, ExitValid) 24 0 : D@24:< 1:-> SetLocal(Check:Untyped:D@22, loc5(K~/FlushedJSV alue), W:Stack(loc5), bc#1, exit: bc#4, ExitValid) predicting None 25 0 : D@25:<!0:-> CheckIsConstant(Check:Untyped:D@22, MustGen, Ex its, bc#4, ExitValid) 26 0 : D@26:< 1:-> NewObject(JS|PureInt, %Ax:Object, R:HeapObjectC ount, W:HeapObjectCount, Exits, bc#4, ExitValid) 27 0 : D@27:<!0:-> MovHint(Check:Untyped:D@26, MustGen, this, W:Si deState, ClobbersExit, bc#4, ExitValid) 28 0 : D@28:<!0:-> Phantom(Check:Untyped:D@22, MustGen, bc#4, Exit Invalid) 29 0 : D@29:<!0:-> PhantomLocal(MustGen, this(A~/FlushedJSValue), W:SideState, bc#4, exit: bc#9, ExitValid) predicting None 30 0 : D@30:< 1:-> SetLocal(Check:Untyped:D@26, this(L!/FlushedJSV alue), W:Stack(this), bc#4, exit: bc#9, ExitValid) predicting None 31 0 : D@31:< 1:-> JSConstant(JS|PureInt, <JSValue()>, bc#9, ExitV alid) 32 0 : D@32:<!0:-> MovHint(Check:Untyped:D@31, MustGen, loc6Aborte d (core dumped) turnerhackz1@turnerhackz1-Aspire-A315-24P:~/Desktop$ "

bigsean123

Comment 6 2026-02-05 22:57:18 PST

ASAN enabled release build yields : #5 0x00005555564a9ef0 in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:985 #6 0x000055555a881b87 in JSC::Wasm::StorageType::elementSize ( this=<optimized out>) at JavaScriptCore/PrivateHeaders/JavaScriptCore/WasmTypeDefinition.h:579 #7 JSC::Wasm::BBQJITImpl::BBQJIT::emitStore (this=this@entry=0x7fffa5bfd0e0, type=..., src=..., dst=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT64 .cpp:4578 #8 0x000055555a8821d3 in JSC::Wasm::BBQJITImpl::BBQJIT::emitStore ( this=0x7fffa5bfd0e0, type=<optimized out>, src=..., dst=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT64 .cpp:4606 #9 0x000055555a683df1 in JSC::Wasm::BBQJITImpl::BBQJIT::emitMove ( --Type <RET> for more, q to quit, c to continue without paging-- this=<optimized out>, type=<optimized out>, src=..., dst=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.c pp:5380 #10 0x000055555a6d8d1c in JSC::Wasm::BBQJITImpl::BBQJIT::emitMove ( this=0x7fffa5bfd0e0, src=..., dst=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.c pp:5400 #11 JSC::Wasm::BBQJITImpl::BBQJIT::flushValue (this=this@entry=0x7fffa5bfd0e0, value=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.c pp:4107 #12 0x000055555a6d622d in JSC::Wasm::BBQJITImpl::BBQJIT::addTopLevel ( this=0x7fffa5bfd0e0, signature=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.c pp:3190 #13 0x000055555a75516d in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJI T>::parseBody (this=this@entry=0x7fffa5bfde90) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmFunction Parser.h:506 #14 0x000055555a718e9b in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJI T>::parse (this=this@entry=0x7fffa5bfde90) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmFunction Parser.h:482 --Type <RET> for more, q to quit, c to continue without paging-- #15 0x000055555a716e82 in JSC::Wasm::parseAndCompileBBQ ( compilationContext=..., profiledCallee=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., module=..., calleeGroup=..., info=..., mode=<optimized out>, functionIndex=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.c pp:5692 #16 0x000055555a6335cf in JSC::Wasm::BBQPlan::compileFunction ( this=this@entry=0x50b0000009e0, functionIndex=..., callee=..., context=..., unlinkedWasmToWasmCalls=...) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan. cpp:159 #17 0x000055555a630913 in JSC::Wasm::BBQPlan::work (this=0x50b0000009e0) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan. cpp:100 #18 0x000055555ac80c84 in JSC::Wasm::Worklist::Thread::work ( this=0x50800000f520) at /home/turnerhackz1/Desktop/WebKit/Source/JavaScriptCore/wasm/WasmWorklist .cpp:115 #19 0x000055555b086602 in WTF::AutomaticThread::start(WTF::AbstractLocker const& )::$_0::operator()() const (this=<optimized out>) at /home/turnerhackz1/Desktop/WebKit/Source/WTF/wtf/AutomaticThread.cpp:228 #20 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) --Type <RET> for more, q to quit, c to continue without paging-- at /home/turnerhackz1/Desktop/WebKit/Source/WTF/wtf/Function.h:59 #21 0x000055555b0d62bb in WTF::Function<void ()>::operator()() const ( this=<optimized out>) at /home/turnerhackz1/Desktop/WebKit/Source/WTF/wtf/Function.h:103 #22 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /home/turnerhackz1/Desktop/WebKit/Source/WTF/wtf/Threading.cpp:258 #23 0x000055555b3fb799 in WTF::wtfThreadEntryPoint (context=0x75f5d) at /home/turnerhackz1/Desktop/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp :245 #24 0x00005555564664cd in asan_thread_start(void*) ()

bigsean123

Comment 7 2026-02-11 06:19:59 PST

*** This bug has been marked as a duplicate of bug 307229 ***

bigsean123

Comment 8 2026-02-11 06:24:22 PST

Fix : https://github.com/WebKit/WebKit/commit/e5391ad90f47f92e4d9cedf10a185caff74c5198 This original bug report posted on 02/03/2026 i reached out to the apple security team to finally get a response since i never got one here, i received an email back saying this was a simple stack exhaustion was received on 02/06/2026 Second bug report from different user on 02/07/2026 reported same issue This can now be closed as both reports are duplicates!

Note You need to log in before you can comment on or make changes to this bug.