[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 11:41:22 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #29 from Csaba Osztrogonac <ossy at webkit.org> 2013-08-01 11:41:05 PST ---
(In reply to comment #27)
> Created an attachment (id=207937)
--> (https://bugs.webkit.org/attachment.cgi?id=207937&action=review) [details]
> Patch
>
> I tested this with MacOSX 32 bit build by running JS tests and examining the disassembly to verify that edx:eax are used for return values. I also compiled this for ARM and verified via disassembly that r1:r0 are used for the return value.
>
> Maintainers of other platforms should verify this solves the issue for them as well before the patch is committed.
I tested it on x86/GCC/QtWebKit in release and debug mode too and
run-javascriptore-tests pass without any fail, and there are only
7 crashes on fast/js:
Regressions: Unexpected crashes (7)
fast/js/create-lots-of-workers.html [ Crash ]
fast/js/dfg-string-out-of-bounds-check-structure.html [ Crash ]
fast/js/dfg-string-out-of-bounds-cse.html [ Crash ]
fast/js/dfg-string-out-of-bounds-negative-check-structure.html [ Crash ]
fast/js/dfg-string-out-of-bounds-negative-proto-value.html [ Crash ]
fast/js/regress/string-get-by-val-out-of-bounds-insane.html [ Crash ]
fast/js/regress/string-get-by-val-out-of-bounds.html [ Crash ]
But it seems, it is a different bug, I'm going to file a new bug report about it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list