[webkit-help] crash in trampoline return

Zaheer Ahmad zaheer.mot at gmail.com
Thu Oct 21 08:06:41 PDT 2010


hi,
iam debugging a crash in webkit JIT(arm thumb2 froyo) when loading a page.
The crash happens after return from the trampoline when popping pc,

0xa861b6ac
<_ZN3JSC7JITCode7executeEPNS_12RegisterFileEPNS_9ExecStateEPNS_12JSGlobalDataEPNS_7JSValueE+56>:
ldr r0, [r5, #0]
0xa861b6ae
<_ZN3JSC7JITCode7executeEPNS_12RegisterFileEPNS_9ExecStateEPNS_12JSGlobalDataEPNS_7JSValueE+58>:
bl 0xa8622698 <ctiTrampoline>
0xa861b6b2
<_ZN3JSC7JITCode7executeEPNS_12RegisterFileEPNS_9ExecStateEPNS_12JSGlobalDataEPNS_7JSValueE+62>:
add sp, #20
0xa861b6b4
<_ZN3JSC7JITCode7executeEPNS_12RegisterFileEPNS_9ExecStateEPNS_12JSGlobalDataEPNS_7JSValueE+64>:
pop {r4, r5, r6, r7, pc}

(gdb) x/20x $sp
0x46bb9360: 0xa8748b48 0x002601e8 0x003c8b60 0x46ec2024
0x46bb9370: 0x46bb93d8 0xa861c05f

The sp is off by 4 bytes, i.e. it should be 0x46bb9364 and not 0x46bb9360,
i.e. pc should be 0xa861c05f. If i explicitly set this value before popping,
the usecase works.  Iam not familiar with the trampoline entry/exit sequence
with the generated code/native code to debug inside it,
so any pointers would be greatly helpful.

Thanks,
Zaheer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-help/attachments/20101021/34555522/attachment.html>


More information about the webkit-help mailing list