[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 14:14:02 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #35 from Michael Saboff <msaboff at apple.com> 2013-08-01 14:13:45 PST ---
Ossy, the disassembly you provided seems reasonable. Below is what my ARM build produces. In both cases, the results of cgi_vm_throw_slowpath are left in r0:r1.
JavaScriptCore`cti_vm_throw_slowpath:
0x35b318: push {r7, lr}
0x35b31a: mov r7, sp
0x35b31c: sub sp, #32
0x35b31e: str r0, [sp, #28]
0x35b320: bl 0x19a310 ; JSC::ExecState::codeBlock() const
0x35b324: bl 0x198a60 ; JSC::CodeBlock::vm()
0x35b328: str r0, [sp, #24]
0x35b32a: ldr r1, [sp, #28]
0x35b32c: movw r2, #18808
0x35b330: str r1, [r0, r2]
0x35b332: ldr r0, [sp, #24]
0x35b334: ldr r2, [sp, #28]
0x35b336: movw r1, #22496
0x35b33a: add r1, r0
0x35b33c: vldr d16, [r1]
0x35b340: vstr d16, [sp, #8]
0x35b344: ldr r3, [sp, #8]
0x35b346: ldr r1, [sp, #12]
0x35b348: mov r9, sp
0x35b34a: str.w r1, [r9]
0x35b34e: add r1, sp, #16
0x35b350: str r0, [sp, #4]
0x35b352: mov r0, r1
0x35b354: ldr r1, [sp, #4]
0x35b356: bl 0x34324c ; JSC::jitThrowNew(JSC::VM*, JSC::ExecState*, JSC::JSValue)
0x35b35a: ldr r0, [sp, #16]
0x35b35c: ldr r1, [sp, #20]
0x35b35e: bl 0x3430bc ; JSC::encode(JSC::ExceptionHandler)
0x35b362: add sp, #32
0x35b364: pop {r7, pc}
0x35b366: nop
JavaScriptCore`JSC::encode(JSC::ExceptionHandler):
0x3430bc: sub sp, #16
0x3430be: str r0, [sp, #8]
0x3430c0: str r1, [sp, #12]
0x3430c2: vldr d16, [sp, #8]
0x3430c6: vstr d16, [sp]
0x3430ca: ldr r0, [sp]
0x3430cc: ldr r1, [sp, #4]
0x3430ce: add sp, #16
0x3430d0: bx lr
Please provide a stack trace for one of the failures and the disassembly of ctiVMThrowTrampolineSlowpath.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list