245657 – crash in javascriptcore

Bug 245657 - crash in javascriptcore

Summary: crash in javascriptcore

Status:	RESOLVED DUPLICATE of bug 245066

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-09-25 23:29 PDT by zhunkibatu
Modified:	2023-01-26 14:22 PST (History)
CC List:	4 users (show)

See Also:	225094

Attachments
the minimal poc (72 bytes, text/javascript) 2022-09-25 23:29 PDT, zhunkibatu	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhunkibatu 2022-09-25 23:29:35 PDT

Created attachment 462613 [details]
the minimal poc

The following poc cause latest JavaScriptCore to crash.

function main() {
    class a {
        g =  [] 
        'a'(){}
    }
}

Comment 1 Alexey Proskuryakov 2022-09-26 14:16:35 PDT

Similar stack trace to bug 225094.

Comment 2 Radar WebKit Bug Importer 2022-09-26 14:17:00 PDT

<rdar://problem/100427854>

Comment 3 serakeri 2023-01-26 14:01:06 PST

I believe this may have been fixed. I'm unable to reproduce this on Safari 16.3 or on a jsc build with the latest commits.

Comment 4 Yusuke Suzuki 2023-01-26 14:22:52 PST

Yeah, this is fixed in bug 245066. Thanks!

*** This bug has been marked as a duplicate of bug 245066 ***