<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h"
href="https://bugs.webkit.org/show_bug.cgi?id=160870#c9">Comment # 9</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h"
href="https://bugs.webkit.org/show_bug.cgi?id=160870">bug 160870</a>
from <span class="vcard"><a class="email" href="mailto:jbedard@apple.com" title="Jonathan Bedard <jbedard@apple.com>"> <span class="fn">Jonathan Bedard</span></a>
</span></b>
<pre>A quick update on Daren's request: This is going to be a very difficult change to test. The most obvious way would be to integrate undefined behavior sanitizer into our testing infrastructure, although this is many months off if it will happen at all.
The other method of testing would be construct a test which would crash without this change. While this is likely possible, it's unclear to me what such a test would like like. While attempting to construct a test which would crash without this change, I discovered that it really only seems to be js/regress/simple-regexp-exec-folding.html which exhibits the bug, but even this test will not always exhibit this error (most notably, is the number of iterations through the loop is decreased, the error will no longer occur).
If uncovering the precise code path which triggers this bug is important, I can continue to investigate. However, I don't think continued investigation is worthwhile, as an analogous case in forAllTransitiveIncomingValues preforms this check.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>