[Webkit-unassigned] [Bug 18367] Crash during celtic kane js speed 2007 test
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 9 21:03:28 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18367
------- Comment #7 from mrowe at apple.com 2008-04-09 21:03 PDT -------
Ok, I think I've tracked down the problem:
Collector::markCurrentThreadConservatively uses setjmp to force registers onto
the stack. The setjmp implementation for x86-64 in glibc is the following:
0x00007f5f7d0c5e00 <__sigsetjmp+0>: mov %rbx,(%rdi)
0x00007f5f7d0c5e03 <__sigsetjmp+3>: mov %rbp,%rax
0x00007f5f7d0c5e06 <__sigsetjmp+6>: xor %fs:0x30,%rax
0x00007f5f7d0c5e0f <__sigsetjmp+15>: rol $0x11,%rax
0x00007f5f7d0c5e13 <__sigsetjmp+19>: mov %rax,0x8(%rdi)
0x00007f5f7d0c5e17 <__sigsetjmp+23>: mov %r12,0x10(%rdi)
0x00007f5f7d0c5e1b <__sigsetjmp+27>: mov %r13,0x18(%rdi)
0x00007f5f7d0c5e1f <__sigsetjmp+31>: mov %r14,0x20(%rdi)
0x00007f5f7d0c5e23 <__sigsetjmp+35>: mov %r15,0x28(%rdi)
0x00007f5f7d0c5e27 <__sigsetjmp+39>: lea 0x8(%rsp),%rdx
0x00007f5f7d0c5e2c <__sigsetjmp+44>: xor %fs:0x30,%rdx
0x00007f5f7d0c5e35 <__sigsetjmp+53>: rol $0x11,%rdx
0x00007f5f7d0c5e39 <__sigsetjmp+57>: mov %rdx,0x30(%rdi)
0x00007f5f7d0c5e3d <__sigsetjmp+61>: mov (%rsp),%rax
0x00007f5f7d0c5e41 <__sigsetjmp+65>: xor %fs:0x30,%rax
0x00007f5f7d0c5e4a <__sigsetjmp+74>: rol $0x11,%rax
0x00007f5f7d0c5e4e <__sigsetjmp+78>: mov %rax,0x38(%rdi)
0x00007f5f7d0c5e52 <__sigsetjmp+82>: jmpq 0x7f5f7d0c5e60
Two important things to note: only a subset of registers are saved, and
several of those that are saved are mangled (xor'd with a magic value, then
rotated left) to not look pointer-like. I suspect this may explain many, if
not all, of the x86-64 specific crashers.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list