[Webkit-unassigned] [Bug 180852] New: The CleanUp phase (after the IntegerRangeOptimization phase) is erroneously removing a Check.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 14 17:20:33 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=180852
Bug ID: 180852
Summary: The CleanUp phase (after the IntegerRangeOptimization
phase) is erroneously removing a Check.
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
Created attachment 329425
--> https://bugs.webkit.org/attachment.cgi?id=329425&action=review
Repro test case.
This results in a subsequent node expecting a checked String object, but instead, got a non-String cell, which leads to a crash.
I ran the test as follows:
$ JSC_useConcurrentJIT=0 jsc repro1.js
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171215/efc66d0e/attachment.html>
More information about the webkit-unassigned
mailing list