[Webkit-unassigned] [Bug 41454] Crash in JSC::JSValue::operator bool when loading postimees.ee

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 9 01:59:26 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=41454





--- Comment #9 from Priit Laes (IRC: plaes) <plaes at plaes.org>  2010-07-09 01:59:26 PST ---
Phew.. got it bisected :)

c9623c29ebd05196543eff26ff51157e13ea6360 is the first bad commit
commit c9623c29ebd05196543eff26ff51157e13ea6360
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Jun 21 17:43:03 2010 +0000

    2010-06-19  Oliver Hunt  <oliver at apple.com>

            Reviewed by Geoffrey Garen.

            Need to ensure that we grow the RegisterFile when creating a callframe for host code
            https://bugs.webkit.org/show_bug.cgi?id=40858
            <rdar://problem/8108986>

            In the past the use of the callframe in hostcode was much more
            limited.  Now that we expect the callframe to always be valid
            we need to grow the RegisterFile so that this is actually the
            case.  In this particular case the problem was failing to grow
            the registerfile could lead to a callframe that extended beyond
            RegisterFiler::end(), so vm re-entry would clobber the callframe
            other scenarios could also lead to badness.

            I was unable to construct a simple testcase to trigger badness,
            and any such testcase would be so dependent on exact vm stack
            layout that it would be unlikely to work as a testcase following
            any callframe or register allocation changes anyway.

            Thankfully the new assertion I added should help to catch these
            failures in future, and triggers on a couple of tests currently.

            * interpreter/CallFrame.cpp:
            (JSC::CallFrame::registerFile):
            * interpreter/CallFrame.h:
            (JSC::ExecState::init):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61553 268f45cc-cd09-0410-ab3c-d52691b4dbfc

:040000 040000 72d529932785e4ccd65dbcf9a1852782842b220c 8ad86d61e4ac201ba4b7aa33e9fd1e4315f53de9 M    JavaScriptCore

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list