[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 09:18:58 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #26 from Julien Brianceau <jbrianceau at nds.com> 2013-08-01 09:18:42 PST ---
(In reply to comment #25)
>
> We do not want to commit the patch. It uses whatever ecx contains without allocating memory, thus trashing whatever ecx points to. This patch could be fixed to allocate that space on the stack.
ecx is used as it was before: the first argument containing callFrame through fastcall. Memory for struct is reserved on stack (subl $8) and put in edx, the second argument through fastcall.
> The other approach is to return the two 32 bit values as one 64 bit value just like and encoded JSValue. This is in keeping with the X86 32 bit ABI. I plan on posting such a patch this morning.
I'm fine with this approach, provided we fix this bug :) Thanks in advance for your patch !
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list