[Bug 25658] Unreproducible crash in Safari at com.apple.JavaScriptCore � JSC::BytecodeGenerator::emitComplexJumpScopes + 468
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 8 19:23:49 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25658
------- Comment #1 from ggaren at apple.com 2009-05-08 19:23 PDT -------
4/24/09 3:12 PM Geoff Garen:
Symbolicated:
0 com.apple.JavaScriptCore 0x95fb1604
JSC::BytecodeGenerator::emitComplexJumpScopes(JSC::Label*,
JSC::ControlFlowContext*, JSC::ControlFlowContext*) + 468
(/SourceCache/JavaScriptCore/JavaScriptCore-5528.15/bytecompiler/BytecodeGenerator.cpp:1576)
1 com.apple.JavaScriptCore 0x95f8ba6d
JSC::BytecodeGenerator::emitJumpScopes(JSC::Label*, int) + 301
(/SourceCache/JavaScriptCore/JavaScriptCore-5528.15/bytecompiler/BytecodeGenerator.cpp:1594)
5/1/09 12:13 AM Geoff Garen:
BytecodeGenerator.cpp:
do {
ASSERT(topScope->isFinallyBlock);
emitJumpSubroutine(topScope->finallyContext.retAddrDst,
topScope->finallyContext.finallyAddr);
--topScope;
if (!topScope->isFinallyBlock) // <-- CRASH
(BytecodeGenerator.cpp:1576)
break;
} while (topScope > bottomScope);
5/1/09 12:16 AM Geoff Garen:
Looks like this code is unmodified since its initial merge in
http://trac.webkit.org/changeset/33979.
5/8/09 7:20 PM Geoff Garen:
Another idea: the set of tokens that can cause an emitComplexJumpScopes is
pretty limited. Try writing a fuzzer to create different combinations and
nesting levels regarding those tokens, and see if you can get it to crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list