[Webkit-unassigned] [Bug 85076] ARM JIT causes segmentation fault on javascript-heavy pages
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 1 01:10:46 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=85076
--- Comment #12 from Zoltan Herczeg <zherczeg at webkit.org> 2012-05-01 01:10:45 PST ---
No problem. This is entirely different now.
> Nothing new until now. But lets look at that code with the right library in place:
>
> 0x41d5d15c <cti_op_get_by_id_proto_fail+8>:
> ldr lr, [sp, #3118288] ; 0x40
> 0x41d5d160 <cti_op_get_by_id_proto_fail+12>: mov pc, lr
> 0x41d5d164 <cti_op_get_by_id_array_fail>:
> str lr, [sp, #3118288] ; 0x40
> 0x41d5d168 <cti_op_get_by_id_array_fail+4>: bl 0x41cae2e8
>
> This looks suspicious. Does it tell you anything?
Yeah it is really suspicious. The sequence should look like this:
str lr, [sp, ...]
bl ...
ldr lr, [sp, ...]
mov pc, lr
Generated by:
#define DEFINE_STUB_FUNCTION(rtype, op) \
extern "C" { \
rtype JITStubThunked_##op(STUB_ARGS_DECLARATION); \
}; \
asm ( \
".globl " SYMBOL_STRING(cti_##op) "\n" \
SYMBOL_STRING(cti_##op) ":" "\n" \
"str lr, [sp, #" STRINGIZE_VALUE_OF(THUNK_RETURN_ADDRESS_OFFSET) "]" "\n" \
"bl " SYMBOL_STRING(JITStubThunked_##op) "\n" \
"ldr lr, [sp, #" STRINGIZE_VALUE_OF(THUNK_RETURN_ADDRESS_OFFSET) "]" "\n" \
"mov pc, lr" "\n" \
); \
rtype JITStubThunked_##op(STUB_ARGS_DECLARATION)
and
#define THUNK_RETURN_ADDRESS_OFFSET 0x38
(so #3118288 is somewhat way too big for me)
In other words, something added 8 to the offset of these so called "stubs". Same as the second function. Question is why... Perhaps a very simple web page with simple JS with calling fallbacks like could also reveal this error:
<script>
var a = {}; a["a"]=5;
</script>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list