Bug 255319 - Segmentation fault in JSC
Summary: Segmentation fault in JSC
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-04-11 22:33 PDT by zhunkibatu
Modified: 2023-04-18 22:34 PDT (History)
2 users (show)

See Also:

Attachments
the minimal poc (63 bytes, text/javascript)
2023-04-11 22:33 PDT, zhunkibatu 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zhunkibatu 2023-04-11 22:33:47 PDT 
Created attachment 465857 [details]
the minimal poc

The following js code cause a segmentation fault in JSC.
=========================================

function foo() {
    eval(``);
    foo.bind()(-1,0);
}

foo();

=========================================
Comment 1 Alexey Proskuryakov 2023-04-12 17:32:51 PDT 
I cannot reproduce this with macOS 13.4 beta. Just getting an exception:

Exception: RangeError: Maximum call stack size exceeded.
Comment 2 Radar WebKit Bug Importer 2023-04-18 22:34:21 PDT 
<rdar://problem/108243516>