141194 – Crash in JIT code

Bug 141194 - Crash in JIT code

Summary: Crash in JIT code

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-02-03 00:54 PST by Han Choongwoo
Modified:	2015-02-03 17:13 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Han Choongwoo 2015-02-03 00:54:48 PST

-----------------
(function() {
var a;
(function() {
for(var i = 0; i < 10000; i++);
a
})();
})();
----------------

this code crahses.

I cannot find the reason.

Program received signal SIGSEGV, Segmentation fault.
0x00007fffb2a23bb0 in ?? ()
(gdb) bt
#0  0x00007fffb2a23bb0 in ?? ()
#1  0x000000000000000a in ?? ()
#2  0x000000000000000a in ?? ()
#3  0x000000000000000a in ?? ()
#4  0x000000000000000a in ?? ()
#5  0x000000000000000a in ?? ()
#6  0x00007fffb01cff80 in ?? ()
#7  0x00007fffffffd610 in ?? ()
#8  0x00007ffff7c09fe8 in llint_entry ()
   from /development/tunz/javascript/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
Backtrace stopped: frame did not save the PC
(gdb) x/i $pc
=> 0x7fffb2a23bb0:      mov    0x20(%rax),%rax
(gdb) i r rax
rax            0xa      10

found with afl-fuzz

Comment 1 Alexey Proskuryakov 2015-02-03 12:40:01 PST

This test doesn't cause a crash on Mac for me.

Comment 2 Han Choongwoo 2015-02-03 17:13:02 PST

It seems so..
I've tested it on Ubuntu 14.04.1, x86_64, gtk port.