[Webkit-unassigned] [Bug 211301] New: [JSC] FTLLowerDFGToB3.cpp - DFG ASSERTION FAILED: Bad array type

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 1 10:32:34 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=211301

            Bug ID: 211301
           Summary: [JSC] FTLLowerDFGToB3.cpp - DFG ASSERTION FAILED: Bad
                    array type
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: myoki.crystal at gmail.com

Created attachment 398200

  --> https://bugs.webkit.org/attachment.cgi?id=398200&action=review

crashes.zip

First of all, I'm new to Bugzilla.
I looked into some previous bug like #184773 and #208764 but I can not find a pattern to submit this kind of bug.
I will try to follow the "bug writing guidelines".

Overview: DFG ASSERTION FAILED: Bad array type on several cases.

Steps to Reproduce:

1) Build Relaese with ASAN:
./Tools/Scripts/set-webkit-configuration --asan
./Tools/Scripts/build-webkit --jsc-only --release

2) Run JSC with JS file

Actual Results: JSC crashes with "DFG ASSERTION FAILED: Bad array type"

Expected Results: JSC should not crash.

Build Date & Hardware: commit at 66c0e50302b9b28b931129d906e332cd6903dbab

Additional Information: This crashes were generated by fuzzilli with some additional tweak.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200501/c9ff38be/attachment.htm>

More information about the webkit-unassigned mailing list