<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jun 11, 2009, at 10:20 AM, Toshiyasu Morita wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;">I've tracked down a crash in our JIT port to a problem with the trampoline generation.<br><br>The symptom of the crash is: the ScopeChain becomes corrupted and acquires the value of 1.<br><br>void JIT::privateCompileCTIMachineTrampolines(RefPtr<ExecutablePool>* executablePool, void** ctiArrayLengthTrampoline, void** ctiStringLengthTrampoline, void** ctiVirtualCallPreLink, void** ctiVirtualCallLink, void** ctiVirtualCall)<br>{<br> emitPutJITStubArg(regT3, 2);<br> ...<br> Call callArityCheck2 = call();<br> move(regT1, callFrameRegister);<br> emitGetJITStubArg(1, regT2); (1)<br> ...<br> compileOpCallInitializeCallFrame();<br> ...<br>}<br><br>void JIT::compileOpCallInitializeCallFrame()<br>{<br> store32(regT1, Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));<br><br> loadPtr(Address(regT2, FIELD_OFFSET(JSFunction, m_scopeChain) + FIELD_OFFSET(ScopeChain, m_node)), regT1); // newScopeChain (2)<br><br> storePtr(ImmPtr(JSValuePtr::encode(noValue())), Address(callFrameRegister, RegisterFile::OptionalCalleeArguments * static_cast<int>(sizeof(Register))));<br> storePtr(regT2, Address(callFrameRegister, RegisterFile::Callee * static_cast<int>(sizeof(Register))));<br> storePtr(regT1, Address(callFrameRegister, RegisterFile::ScopeChain * static_cast<int>(sizeof(Register)))); (3)<br>}<br><br>So basically, what happens is:<br><br>(1) The trampoline loads args[1] into regT2<br></td></tr></tbody></table></blockquote><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;"><br></td></tr></tbody></table></div><div>This is restoring the pointer to callee JSFunction*.</div><div><br><blockquote type="cite"><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;">(2) Loads *(regT2 + offset) into reg T1<br></td></tr></tbody></table></blockquote><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;"><br></td></tr></tbody></table></div><div>This is loading the ScopeChain from the callee function.</div><div><br><blockquote type="cite"><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;">(3) Stores regT1 at args[-6] and destroys the value (writes 1 to ScopeChain)<br></td></tr></tbody></table></blockquote><table cellspacing="0" cellpadding="0" border="0" style="position: relative; z-index: 0; "><tbody><tr><td valign="top" style="font: inherit;"><br></td></tr></tbody></table></div><div>This is setting the ScopeChain in the callframe header so it is passed to the callee.</div><div><br><blockquote type="cite"><table cellspacing="0" cellpadding="0" border="0" style="position: static; z-index: auto; "><tbody><tr><td valign="top" style="font: inherit;">I don't understand what this code is trying to do.. Comments appreciated.<br><br>Toshi<br><br></td></tr></tbody></table><br> _______________________________________________<br>webkit-dev mailing list<br><a href="mailto:webkit-dev@lists.webkit.org">webkit-dev@lists.webkit.org</a><br>http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev<br></blockquote></div><br></body></html>