[Webkit-unassigned] [Bug 211301] [JSC] FTLLowerDFGToB3.cpp - DFG ASSERTION FAILED: Bad array type

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 5 04:10:41 PDT 2020


--- Comment #5 from Minh Tran <myoki.crystal at gmail.com> ---
(In reply to Saam Barati from comment #4)
> (In reply to Minh Tran from comment #2)
> > I have about 69 more crashes with FTLLowerDFGToB3, some of which might not
> > be FTL. Please reply if Webkit team is interested in fixing this bug.
> Are they all the same crash?

Those crash are different stack trace from each other, but it might come from the same root cause: ... -> compileNode -> compileGetArrayLength -> CRASH!!!

I believe that the DFG component mistreat these objects.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200505/1d541d1a/attachment.htm>

More information about the webkit-unassigned mailing list