[webkit-dev] Trampoline problem

[Toshiyasu Morita]

I've tracked down a crash in our JIT port to a problem with the trampoline generation.

The symptom of the crash is: the ScopeChain becomes corrupted and acquires the value of 1.

void JIT::privateCompileCTIMachineTrampolines(RefPtr<ExecutablePool>* executablePool, void** ctiArrayLengthTrampoline, void** ctiStringLengthTrampoline, void** ctiVirtualCallPreLink, void** ctiVirtualCallLink, void** ctiVirtualCall)
{
    emitPutJITStubArg(regT3, 2);
    ...
    Call callArityCheck2 = call();
    move(regT1, callFrameRegister);
    emitGetJITStubArg(1, regT2);  (1)
    ...
    compileOpCallInitializeCallFrame();
    ...
}

void JIT::compileOpCallInitializeCallFrame()
{
    store32(regT1, Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));

    loadPtr(Address(regT2, FIELD_OFFSET(JSFunction, m_scopeChain) + FIELD_OFFSET(ScopeChain, m_node)), regT1); // newScopeChain (2)

    storePtr(ImmPtr(JSValuePtr::encode(noValue())), Address(callFrameRegister, RegisterFile::OptionalCalleeArguments * static_cast<int>(sizeof(Register))));
    storePtr(regT2, Address(callFrameRegister, RegisterFile::Callee * static_cast<int>(sizeof(Register))));
    storePtr(regT1, Address(callFrameRegister, RegisterFile::ScopeChain * static_cast<int>(sizeof(Register)))); (3)
}

So basically, what happens is:

(1) The trampoline loads args[1] into regT2
(2) Loads *(regT2 + offset) into reg T1
(3) Stores regT1 at args[-6] and destroys the value (writes 1 to ScopeChain)

I don't understand what this code is trying to do.. Comments appreciated.

Toshi




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090611/00b5f147/attachment.html>