[Webkit-unassigned] [Bug 143645] Crash in JSC::DFG::SpeculativeJIT::fillSpeculateInt52(JSC::DFG::Edge, JSC::DataFormat)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 15 09:23:59 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=143645
Michael Saboff <msaboff at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |msaboff at apple.com
--- Comment #4 from Michael Saboff <msaboff at apple.com> ---
I suspect that this is fixed by the change to <https://bugs.webkit.org/show_bug.cgi?id=143727> - "DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format" which was landed in change set r182827: <http://trac.webkit.org/changeset/182827>.
It is hard to prove if we can't reproduce the crash.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150415/dea5080f/attachment.html>
More information about the webkit-unassigned
mailing list