[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 1 06:27:43 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119140


Simon Hausmann <hausmann at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hausmann at webkit.org




--- Comment #21 from Simon Hausmann <hausmann at webkit.org>  2013-08-01 06:27:26 PST ---
(In reply to comment #17)
> (In reply to comment #16)
> > Julien and I discovered the problem here:
> > 
> > ExceptionHandler __attribute__ ((fastcall)) cti_vm_throw_slowpath(CallFrame* callFrame);
> > 
> > On some compilers, returning a struct causes the compiler to allocate the first register as the "pointer to return value".
> 
> Makes sense.  I was looking at the disassembly that Julien posted and the use of %ecx was throwing me.  The first arg (callFrame) was in %edx.
> 
> That means that ctiVMThrowTrampolineSlowpath will need to be modified for those compilers to allocate the struct space on the stack and put the address in %ecx, put callFrame in %edx and then on return use the values in the stack instead of %eax:edx
> 
> Did you determine any predefined macros that say the compiler is doing this?

I believe that is the standard System V ABI on x86, which is implemented by Linux, Mac OS X (not that 32-bit matters here I suppose :) and other Unixy variants . See also "Functions Returning Structures or Unions" in http://sco.com/developers/devspecs/abi386-4.pdf

The invisible pointer-to-returned-structure argument that's normally on the stack indeed moves into the first register then.

On Windows on the other hand the structure in this case (which is 8 bytes) is returned in an eax:edx pair, if it fits
( http://msdn.microsoft.com/en-us/library/984x0h58.aspx )

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list