[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 08:40:34 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #25 from Michael Saboff <msaboff at apple.com> 2013-08-01 08:40:17 PST ---
(In reply to comment #23)
> Created an attachment (id=207928)
--> (https://bugs.webkit.org/attachment.cgi?id=207928&action=review) [details]
> Fix for X86 32-bit (release and debug builds). DO NOT COMMIT
>
> Do not commit this patch. It fixes X86 32-bit builds (release and debug), but will break all other architectures (X86_64, sh4, ARM etc ...): each architecture dependent function ctiVMThrowTrampolineSlowpath must be adapated with this patch.
>
> JSC experts, do you think this kind of patch is a good way to fix the issue? If so, I'll make changes for the architectures I know (X86_64 and sh4) and submit a new patch.
We do not want to commit the patch. It uses whatever ecx contains without allocating memory, thus trashing whatever ecx points to. This patch could be fixed to allocate that space on the stack.
The other approach is to return the two 32 bit values as one 64 bit value just like and encoded JSValue. This is in keeping with the X86 32 bit ABI. I plan on posting such a patch this morning.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list