[Webkit-unassigned] [Bug 191058] New: Assertion failed at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 30 01:24:41 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=191058
Bug ID: 191058
Summary: Assertion failed at
../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: zhunkibatu at gmail.com
the following poc triggered an assertion failure:
RELEASE_ASSERT(materialization->properties().size() - 2 == table->scopeSize());
at ../../Source/JavaScriptCore/ftl/FTLOperations.cpp:236
poc:
function f(x,x,x,x){eval;}
for(var i=0;i<100000;i++){f();}
f(0,1,2,3);
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181030/0cf950cd/attachment.html>
More information about the webkit-unassigned
mailing list