NEW 141194
Crash in JIT code 
https://bugs.webkit.org/show_bug.cgi?id=141194
Summary Crash in JIT code
Han Choongwoo
Reported 2015-02-03 00:54:48 PST
----------------- (function() { var a; (function() { for(var i = 0; i < 10000; i++); a })(); })(); ---------------- this code crahses. I cannot find the reason. Program received signal SIGSEGV, Segmentation fault. 0x00007fffb2a23bb0 in ?? () (gdb) bt #0 0x00007fffb2a23bb0 in ?? () #1 0x000000000000000a in ?? () #2 0x000000000000000a in ?? () #3 0x000000000000000a in ?? () #4 0x000000000000000a in ?? () #5 0x000000000000000a in ?? () #6 0x00007fffb01cff80 in ?? () #7 0x00007fffffffd610 in ?? () #8 0x00007ffff7c09fe8 in llint_entry () from /development/tunz/javascript/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 Backtrace stopped: frame did not save the PC (gdb) x/i $pc => 0x7fffb2a23bb0: mov 0x20(%rax),%rax (gdb) i r rax rax 0xa 10 found with afl-fuzz
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2015-02-03 12:40:01 PST
This test doesn't cause a crash on Mac for me.
Han Choongwoo
Comment 2 2015-02-03 17:13:02 PST
It seems so.. I've tested it on Ubuntu 14.04.1, x86_64, gtk port.
Note You need to log in before you can comment on or make changes to this bug.