[webkit-dev] Trampoline problem

Gavin Barraclough barraclough at apple.com
Thu Jun 11 10:55:37 PDT 2009 

On Jun 11, 2009, at 10:20 AM, Toshiyasu Morita wrote:

> I've tracked down a crash in our JIT port to a problem with the  
> trampoline generation.
>
> The symptom of the crash is: the ScopeChain becomes corrupted and  
> acquires the value of 1.
>
> void  
> JIT::privateCompileCTIMachineTrampolines(RefPtr<ExecutablePool>*  
> executablePool, void** ctiArrayLengthTrampoline, void**  
> ctiStringLengthTrampoline, void** ctiVirtualCallPreLink, void**  
> ctiVirtualCallLink, void** ctiVirtualCall)
> {
>     emitPutJITStubArg(regT3, 2);
>     ...
>     Call callArityCheck2 = call();
>     move(regT1, callFrameRegister);
>     emitGetJITStubArg(1, regT2);  (1)
>     ...
>     compileOpCallInitializeCallFrame();
>     ...
> }
>
> void JIT::compileOpCallInitializeCallFrame()
> {
>     store32(regT1, Address(callFrameRegister,  
> RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));
>
>     loadPtr(Address(regT2, FIELD_OFFSET(JSFunction, m_scopeChain) +  
> FIELD_OFFSET(ScopeChain, m_node)), regT1); // newScopeChain (2)
>
>     storePtr(ImmPtr(JSValuePtr::encode(noValue())),  
> Address(callFrameRegister, RegisterFile::OptionalCalleeArguments *  
> static_cast<int>(sizeof(Register))));
>     storePtr(regT2, Address(callFrameRegister, RegisterFile::Callee  
> * static_cast<int>(sizeof(Register))));
>     storePtr(regT1, Address(callFrameRegister,  
> RegisterFile::ScopeChain * static_cast<int>(sizeof(Register)))); (3)
> }
>
> So basically, what happens is:
>
> (1) The trampoline loads args[1] into regT2

This is restoring the pointer to callee JSFunction*.

> (2) Loads *(regT2 + offset) into reg T1

This is loading the ScopeChain from the callee function.

> (3) Stores regT1 at args[-6] and destroys the value (writes 1 to  
> ScopeChain)

This is setting the ScopeChain in the callframe header so it is passed  
to the callee.

> I don't understand what this code is trying to do.. Comments  
> appreciated.
>
> Toshi
>
>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090611/016d56f1/attachment.html>

More information about the webkit-dev mailing list