[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 01:35:13 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #20 from Julien Brianceau <jbrianceau at nds.com> 2013-08-01 01:34:57 PST ---
(In reply to comment #17)
> That means that ctiVMThrowTrampolineSlowpath will need to be modified for those compilers to allocate the struct space on the stack and put the address in %ecx, put callFrame in %edx and then on return use the values in the stack instead of %eax:edx
Exactly. To confirm this, I've replaced the implementation of ctiVMThrowTrampolineSlowpath in Source/JavaScriptCore/jit/JITStubsX86.h like this:
asm (
".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
"movl %edi, %edx" "\n"
"call " LOCAL_REFERENCE(cti_vm_throw_slowpath) "\n"
// When cti_vm_throw_slowpath returns, eax has callFrame and edx has handler address
"movl (%ecx), %eax" "\n"
"movl 4(%ecx), %edx" "\n"
"jmp *%edx" "\n"
);
Results are ok:
- run-fast-jsc reports "426 tests passed, 34 tests failed, 0 tests crashed."
- run-javascriptcore-tests reports "0 regressions found. 0 tests fixed. OK."
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list