[Webkit-unassigned] [Bug 160870] Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 17 12:02:09 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160870
--- Comment #9 from Jonathan Bedard <jbedard at apple.com> ---
A quick update on Daren's request: This is going to be a very difficult change to test. The most obvious way would be to integrate undefined behavior sanitizer into our testing infrastructure, although this is many months off if it will happen at all.
The other method of testing would be construct a test which would crash without this change. While this is likely possible, it's unclear to me what such a test would like like. While attempting to construct a test which would crash without this change, I discovered that it really only seems to be js/regress/simple-regexp-exec-folding.html which exhibits the bug, but even this test will not always exhibit this error (most notably, is the number of iterations through the loop is decreased, the error will no longer occur).
If uncovering the precise code path which triggers this bug is important, I can continue to investigate. However, I don't think continued investigation is worthwhile, as an analogous case in forAllTransitiveIncomingValues preforms this check.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160817/fc97ed95/attachment.html>
More information about the webkit-unassigned
mailing list