[Webkit-unassigned] [Bug 141194] New: Crash in JIT code
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 3 00:54:48 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=141194
Bug ID: 141194
Summary: Crash in JIT code
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Major
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: cwhan.tunz at gmail.com
-----------------
(function() {
var a;
(function() {
for(var i = 0; i < 10000; i++);
a
})();
})();
----------------
this code crahses.
I cannot find the reason.
Program received signal SIGSEGV, Segmentation fault.
0x00007fffb2a23bb0 in ?? ()
(gdb) bt
#0 0x00007fffb2a23bb0 in ?? ()
#1 0x000000000000000a in ?? ()
#2 0x000000000000000a in ?? ()
#3 0x000000000000000a in ?? ()
#4 0x000000000000000a in ?? ()
#5 0x000000000000000a in ?? ()
#6 0x00007fffb01cff80 in ?? ()
#7 0x00007fffffffd610 in ?? ()
#8 0x00007ffff7c09fe8 in llint_entry ()
from /development/tunz/javascript/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18
Backtrace stopped: frame did not save the PC
(gdb) x/i $pc
=> 0x7fffb2a23bb0: mov 0x20(%rax),%rax
(gdb) i r rax
rax 0xa 10
found with afl-fuzz
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150203/95bcebb8/attachment-0002.html>
More information about the webkit-unassigned
mailing list