[Webkit-unassigned] [Bug 97586] [Qt] Fix crashes with LLInt C loop on 64 bit release mode

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 30 10:18:31 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=97586





--- Comment #10 from Mark Lam <mark.lam at apple.com>  2012-10-30 10:19:48 PST ---
(In reply to comment #8)
> I did some debugging. The bug is easy to reproduce. Just run an "array[0] = 32" expression in JS. Since "array" is undefined, an exception should be thrown. And that is what happens. The returnToThrow() in LLIntExceptions.cpp is executed. After the code is returned to (which is the slow case of resolve):
> 
> OFFLINE_ASM_LOCAL_LABEL(_offlineasm_noInstructions)
> 
> It crashes at:
>    opcode = *CAST<Opcode*>(rBasePC.i8p + (rPC.i32 << 3) + intptr_t(0x0));
> 
> The address of the next instruction should go to t0, am I right?
> LLInt::decodeResult(result, t0.instruction, t1.execState);
> 
> Is restoreStateAfterCCall() is this ok if you return with an exception?
> 
> What disturbs me the most: it uses rPC.i for all calculations, except the last one: rPC.i32 is used instead of i. Why?

This is because in x86_64 mode, the PC is the bytecode offset, and not an address.  No piece of bytecode should be so big that it exceeds the 2G range of a 32 bit int.

(In reply to comment #9)
> I replaced all rPC.i32 to rPC.i manually in LLIntAssembly.h and all jscore tests are passing now...

In contrast, on mac x86_64, if I change the rPC.i32 to rPC.i, the tests will crash.

I wonder if this is a C++ compiler problem.  Try this test:
1. Modify llint/LowLevelInterpreter.cpp as follows:

=== BEGIN diff ===
     // rPC is an alias for vPC. Set up the alias:
     CLoopRegister& rPC = *CAST<CLoopRegister*>(&vPC);

+    printf(" &rPC.i32 = %p\n", &rPC.i32);
+    printf(" &rPC.i   = %p\n", &rPC.i);
+    rPC.i = 0xfedcba9876543211;
+    printf(" Setting rPC.i = 0xfedcba9876543211;\n");
+    printf(" raw rPC  = %p\n", *(void**)&rPC);
+    rPC.i32 = 0x00000000;
+    printf(" Setting rPC.i32 = 0x00000000;\n");
+    printf(" raw rPC  = %p\n", *(void**)&rPC);
+
 #if USE(JSVALUE32_64)
     vPC = codeBlock->instructions().begin();
 #else // USE(JSVALUE64)
=== END diff ===

2. Build jsc.
3. Create the following test.js file:

=== BEGIN ===
function foo() {
    array[0] = 32;
}

try {
   foo();
} catch (e) {
   print("caught: " + e);
}
=== END ===

4. Run jsc on the test file:

$ jsc test.js 

Here's the result I'm getting on mac x86_64:
=== BEGIN ===
$ jsc test.js 
 &rPC.i32 = 0x7fff519913b0
 &rPC.i   = 0x7fff519913b0
 Setting rPC.i = 0xfedcba9876543211;
 raw rPC  = 0xfedcba9876543211
 Setting rPC.i32 = 0x00000000;
 raw rPC  = 0xfedcba9800000000
caught: ReferenceError: Can't find variable: array
$
=== END ===

Let me know what results you are seeing on Qt.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list