[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 1 11:41:22 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=119140





--- Comment #29 from Csaba Osztrogonac <ossy at webkit.org>  2013-08-01 11:41:05 PST ---
(In reply to comment #27)
> Created an attachment (id=207937)
 --> (https://bugs.webkit.org/attachment.cgi?id=207937&action=review) [details]
> Patch
> 
> I tested this with MacOSX 32 bit build by running JS tests and examining the disassembly to verify that edx:eax are used for return values.  I also compiled this for ARM and verified via disassembly that r1:r0 are used for the return value.
> 
> Maintainers of other platforms should verify this solves the issue for them as well before the patch is committed.

I tested it on x86/GCC/QtWebKit in release and debug mode too and
run-javascriptore-tests pass without any fail, and there are only
7 crashes on fast/js:
Regressions: Unexpected crashes (7)
  fast/js/create-lots-of-workers.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-check-structure.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-cse.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-negative-check-structure.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-negative-proto-value.html [ Crash ]
  fast/js/regress/string-get-by-val-out-of-bounds-insane.html [ Crash ]
  fast/js/regress/string-get-by-val-out-of-bounds.html [ Crash ]

But it seems, it is a different bug, I'm going to file a new bug report about it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list