[Webkit-unassigned] [Bug 142625] Crash in JSC::Interpreter::execute

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=142625

Csaba Osztrogonác <ossy at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mark.lam at apple.com,
                   |                            |ossy at webkit.org

--- Comment #1 from Csaba Osztrogonác <ossy at webkit.org> ---
(In reply to comment #0)
...
> The crash happens in line 1119. After a short debugging it seems that at the
> moment of the crash the index of the loop is 0 and the value of
> |numFunctions| is 1. However, since |codeBlock| doesn't contain any
> functionDeclarations at this point, we crash. One more note that could be
> important: the crash happens around the 4096th eval execution.

It's easy to reproduce it on Mac too. The test passes with disabled baseline
JIT (LLINT only), with disabled DFG JIT (LLINT + baseline JIT), so the bug
must be in the DFG JIT engine somewhere.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150323/049c3b48/attachment-0002.html>