Bug 314521

Hello, I found a crash in JavaScriptCore (commit id: 11d1bc9dcc96db26818ef4cfba64719d474c4e89) poc.js ``` for (let i = -2; i; (() => { const arr = Array(7); try { Uint8Array.fromBase64(7, Array); } catch (e) {} arr[6] = 11; })() ){} ``` Reproduce: 1. Compile JavaScriptCore in Debug mode 2. Run args: ./jsc --useConcurrentJIT=0 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 poc.js Result: Segmentation fault (core dumped) Stack Trace: * thread #1, name = 'jsc', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x5) frame #0: 0x00005555570a5a4c jsc`JSC::JSCell::isCustomGetterSetter(this=0x0000000000000000) const at JSCell.h:133:48 130 JS_EXPORT_PRIVATE bool isObjectSlow() const; 131 bool isObject() const { return TypeInfo::isObject(m_type); } 132 bool isGetterSetter() const { return m_type == GetterSetterType; } -> 133 bool isCustomGetterSetter() const { return m_type == CustomGetterSetterType; } 134 bool isProxy() const { return m_type == GlobalProxyType || m_type == ProxyObjectType; } 135 bool isCallable(); 136 bool isConstructor(); Target 0: (jsc) stopped. (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x5) * frame #0: 0x00005555570a5a4c jsc`JSC::JSCell::isCustomGetterSetter(this=0x0000000000000000) const at JSCell.h:133:48 frame #1: 0x00005555570a4c68 jsc`JSC::JSValue::isCustomGetterSetter(this=0x00007fffffffbb90) const at JSCJSValueCell.h:72:34 frame #2: 0x0000555559214555 jsc`JSC::JSValue::isCustomGetterSetterSlow(this=0x00007fffffffbb90) const at JSCJSValue.cpp:464:12 frame #3: 0x00005555570f34c0 jsc`JSC::JSObject::putDirectIndex(this=0x00007fffe92a3150, globalObject=0x00007fffe90a0088, propertyName=6, value=JSValue @ 0x00007fffffffbb90, attributes=0, mode=PutDirectIndexLikePutDirect) at JSObject.h:248:9 frame #4: 0x00005555570c9b79 jsc`JSC::JSObject::putDirectIndex(this=0x00007fffe92a3150, globalObject=0x00007fffe90a0088, propertyName=6, value=JSValue @ 0x00007fffffffbbd8) at JSObject.h:276:16 frame #5: 0x000055555808ba69 jsc`operationPopulateObjectInOSR(globalObject=0x00007fffe90a0088, materialization=0x00007fffeb0a9f50, encodedValue=0x00007fffeb0a2c18, values=0x00007fffeb0a2c20) at FTLOperations.cpp:110:24 frame #6: 0x00007fffa8c423a0 frame #7: 0x00005555583dc17d jsc`llint_call_javascript + 6 frame #8: 0x0000555558cce1bd jsc`JSC::Interpreter::executeProgram(this=0x00007fffe941edb0, source=0x00007fffffffd7a8, (null)=0x00007fffe90a0088, thisObj=0x00007fffeb072188) at Interpreter.cpp:1206:28 frame #9: 0x0000555558fb5188 jsc`JSC::evaluate(globalObject=0x00007fffe90a0088, source=0x00007fffffffd7a8, thisValue=JSValue @ 0x00007fffffffd5c0, returnedException=0x00007fffffffd7c8) at Completion.cpp:145:37 frame #10: 0x0000555557080e29 jsc`runWithOptions(globalObject=0x00007fffe90a0088, options=0x000055555a753e70, success=0x00007fffffffdd2b) at jsc.cpp:3905:35 frame #11: 0x0000555557050b1c jsc`jscmain(int, char**)::$_0::operator()(this=0x00007fffffffde1b, vm=0x00007fffe9400000, globalObject=0x00007fffe90a0088, success=0x00007fffffffdd2b) const at jsc.cpp:4635:13 frame #12: 0x000055555704d90a jsc`int runJSC<jscmain(int, char**)::$_0>(options=0x000055555a753e70, isWorker=false, func=0x00007fffffffde1b) at jsc.cpp:4421:13 frame #13: 0x000055555704b154 jsc`jscmain(argc=7, argv=0x00007fffffffdfb8) at jsc.cpp:4628:18 frame #14: 0x000055555704aeda jsc`main(argc=7, argv=0x00007fffffffdfb8) at jsc.cpp:3663:15 frame #15: 0x00007ffff5829d90 libc.so.6`__libc_start_call_main(main=(jsc`main at jsc.cpp:3600), argc=7, argv=0x00007fffffffdfb8) at libc_start_call_main.h:58:16 frame #16: 0x00007ffff5829e40 libc.so.6`__libc_start_main_impl(main=<unavailable>, argc=7, argv=<unavailable>, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffdfa8) at libc-start.c:392:3 frame #17: 0x0000555557046c25 jsc`_start + 37