``` new (function () { /x/.constructor.input = /x/.constructor; this.constructor(); }); ``` This testcase hits a SIGTRAP on debug builds on rev https://github.com/WebKit/WebKit/commit/427a310bda2e, run with: --useConcurrentJIT=false --useDFGJIT=true --useFTLJIT=false. The SIGTRAP goes away when --useDFGJIT=false. The regressor seems to be: https://github.com/WebKit/WebKit/commit/10748e5975cd ``` 10748e5975cd1f538bd71b5e68bcf61ad142fc18 is the first bad commit commit 10748e5975cd1f538bd71b5e68bcf61ad142fc18 Author: Keith Miller Date: Tue May 7 13:08:55 2024 -0700 JIT operations should return the current exception in a return GPR when it's free. https://bugs.webkit.org/show_bug.cgi?id=273264 rdar://127065985 Reviewed by Yusuke Suzuki. ``` Setting s-s to be safe, as JIT'ed code may sometimes be problematic. Please feel free to open this up as needed.
<rdar://problem/129096982>
If it helps, I also found this on Ubuntu Linux 22.04.
Hi, thanks for the report! I don't think this needs to be in security since it hasn't shipped yet. I think the fix is easy.
Pull request: https://github.com/WebKit/WebKit/pull/29427
Committed 279625@main (e44e4c11207c): <https://commits.webkit.org/279625@main> Reviewed commits have been landed. Closing PR #29427 and removing active labels.