[Webkit-unassigned] [Bug 211881] JavascriptCore crashed cause of Inappropriate optimization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 14 19:59:10 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=211881
--- Comment #4 from szwgg <5n1p3r0010 at gmail.com> ---
if we run the poc below in a release build(just build as build-webkit --jsc-only --release),
we get crashed in FTLLowerDFGToB3.cpp void JSC::FTL::{anonymous}::LowerDFGToB3::compileGetArrayLength(),
POC:
function main(){
const arr = [];
function test(arg1 ,arg2){
const t = arr.__proto__;
for (const i of t){}
p = 1337;
let idx = 0;
while(idx < p){}
}
const n_ = test();
};
main();
it seems that something went wrong when we optimize the code and convert it to assembly(I previously focused on v8 engine and I'm new to jsc,currently I can't firgure out the root cause.but I'll try)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200515/457f701a/attachment.htm>
More information about the webkit-unassigned
mailing list