NEW 287688
Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 
https://bugs.webkit.org/show_bug.cgi?id=287688
Summary Thread 1 "jsc" received signal SIGSEGV, Segmentation fault.
cjy096010
Reported 2025-02-13 19:42:36 PST
Created attachment 474230 [details] The JS file crashes on JSC(webkit commit: a7c31c36ea7c80460755abe46b21f3db5cde239a) Environment Details: Operating System: Ubuntu 22.04 (x86_64) WebKit Version: Commit a7c31c36ea7c80460755abe46b21f3db5cde239a (main branch) Steps to Reproduction: 1. build JSC: export WEBKIT_OUTPUTDIR=FuzzBuild if [ "$(uname)" == "Linux" ]; then ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'" else echo "Unsupported operating system" fi 2. Execute command: /webkit/FuzzBuild/bin/jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true webkit_crash.js Stack Trace: Thread 1 "jsc" received signal SIGSEGV, Segmentation fault. 0x00007fffa8842d12 in ?? () (gdb) bt full #0 0x00007fffa8842d12 in ?? () No symbol table info available. #1 0x0000000000000000 in ?? () No symbol table info available.
Attachments
The JS file crashes on JSC(webkit commit: a7c31c36ea7c80460755abe46b21f3db5cde239a) (364 bytes, text/javascript)
2025-02-13 19:42 PST, cjy096010 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2025-02-14 13:30:14 PST
FWIW, I cannot reproduce this with a plain debug build on macOS.
cjy096010
Comment 2 2025-02-14 23:15:44 PST
(In reply to Alexey Proskuryakov from comment #1) > FWIW, I cannot reproduce this with a plain debug build on macOS. I build webkit on Linux by the following command: export WEBKIT_OUTPUTDIR=FuzzBuild if [ "$(uname)" == "Linux" ]; then ./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'" else echo "Unsupported operating system" fi If failed, you also can try to 1. delete all preprocessor conditional compilation pairs "#if ENABLE(FUZZILLI)" and "#endif" in /Source/JavaScriptCore/jsc.cpp, /Source/JavaScriptCore/fuzzilli/Fuzzilli.cpp and Fuzzilli.h, like "#if ENABLE(FUZZILLI) static JSC_DECLARE_HOST_FUNCTION(functionFuzzilli); #endif " should be modified to: "static JSC_DECLARE_HOST_FUNCTION(functionFuzzilli);" 2. add "#include<fuzzilli/Fuzzilli.cpp>" into jsc.cpp
Radar WebKit Bug Importer
Comment 3 2025-02-20 19:48:15 PST
<rdar://problem/145266093>
Note You need to log in before you can comment on or make changes to this bug.