[Webkit-unassigned] [Bug 97586] [Qt] Fix crashes with LLInt C loop on 64 bit release mode
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 30 07:49:38 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=97586
--- Comment #8 from Zoltan Herczeg <zherczeg at webkit.org> 2012-10-30 07:50:56 PST ---
I did some debugging. The bug is easy to reproduce. Just run an "array[0] = 32" expression in JS. Since "array" is undefined, an exception should be thrown. And that is what happens. The returnToThrow() in LLIntExceptions.cpp is executed. After the code is returned to (which is the slow case of resolve):
OFFLINE_ASM_LOCAL_LABEL(_offlineasm_noInstructions)
It crashes at:
opcode = *CAST<Opcode*>(rBasePC.i8p + (rPC.i32 << 3) + intptr_t(0x0));
The address of the next instruction should go to t0, am I right?
LLInt::decodeResult(result, t0.instruction, t1.execState);
Is restoreStateAfterCCall() is this ok if you return with an exception?
What disturbs me the most: it uses rPC.i for all calculations, except the last one: rPC.i32 is used instead of i. Why?
Filip could you give me some ideas?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list