Bug 71227

Summary: REGRESSION (r97118): Reproducible crash in JSCell::toPrimitive when adding
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://webmop.de/app/context.html
Attachments:
Description Flags
the patch oliver: review+

Alexey Proskuryakov
Reported 2011-10-31 10:47:21 PDT
Steps to reproduce: open http://webmop.de/app/context.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010afc5c34 JSC::JSCell::toPrimitive(JSC::ExecState*, JSC::PreferredPrimitiveType) const + 4 1 com.apple.JavaScriptCore 0x000000010af022cd JSC::jsAddSlowCase(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 941 2 com.apple.JavaScriptCore 0x000000010ae966e9 cti_op_add + 121 3 ??? 0x00004cbbf7f54454 0 + 84370202641492 4 com.apple.JavaScriptCore 0x000000010ae37128 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1112 5 com.apple.JavaScriptCore 0x000000010ae36cbd JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 45 <rdar://problem/10306791>
Attachments
the patch (2.03 KB, patch)
2011-10-31 14:00 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2011-10-31 14:00:47 PDT
Created attachment 113084 [details] the patch
Filip Pizlo
Comment 2 2011-10-31 14:04:03 PDT
Landed in http://trac.webkit.org/changeset/98878
Note You need to log in before you can comment on or make changes to this bug.