[Webkit-unassigned] [Bug 140879] New: Crash in JSC::DFG::prepareOSREntry
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 26 01:02:27 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=140879
Bug ID: 140879
Summary: Crash in JSC::DFG::prepareOSREntry
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: cwhan.tunz at gmail.com
--------------------------
function g() {
function f() {
g.apply(null, ['']);
}
f().watch(a)
}
(function () {
g.apply(null, null);
})();
--------------------------
If I run this code, It crashes.
Program received signal SIGSEGV, Segmentation fault.
tJSC::DFG::prepareOSREntry (exec=exec at entry=0x7ffeb2308f68, codeBlock=codeBlock at entry=0x7ffff7f52000,
bytecodeIndex=bytecodeIndex at entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
121 if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
(gdb) bt
#0 JSC::DFG::prepareOSREntry (exec=exec at entry=0x7ffeb2308f68, codeBlock=codeBlock at entry=0x7ffff7f52000,
bytecodeIndex=bytecodeIndex at entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
#1 0x00000000006082bf in JSC::cti_optimize (args=0x7fffffffd730)
at /development/tunz/javascript/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1991
#2 0x00007fffb2cbb3d6 in ?? ()
#3 0x00007ffe00000000 in ?? ()
#4 0x00007ffe00000000 in ?? ()
#5 0x00007ffff7ed1108 in ?? ()
#6 0x0000000000000000 in ?? ()
(gdb) list
116 #endif
117 return 0;
118 }
119 continue;
120 }
121 if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
122 #if ENABLE(JIT_VERBOSE_OSR)
123 dataLog(" OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n");
124 #endif
125 return 0;
I think it is stack overflow of JIT (DFG).
tested it on QtWebKit Ubuntu 14.04 64bit.
I found this crash with afl-fuzz.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150126/6c219cda/attachment-0002.html>
More information about the webkit-unassigned
mailing list