[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 1 23:00:23 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #39 from Csaba Osztrogonac <ossy at webkit.org> 2013-08-01 23:00:06 PST ---
(In reply to comment #35)
> Please provide a stack trace for one of the failures and the disassembly of ctiVMThrowTrampolineSlowpath.
Here is the disassembly:
00174628 <ctiVMThrowTrampolineSlowpath>:
174628: 4628 mov r0, r5
17462a: f005 fbcd bl 179dc8 <cti_vm_throw_slowpath>
17462e: f8dd b05c ldr.w fp, [sp, #92] ; 0x5c
174632: f8dd a058 ldr.w sl, [sp, #88] ; 0x58
174636: f8dd 9054 ldr.w r9, [sp, #84] ; 0x54
17463a: f8dd 8050 ldr.w r8, [sp, #80] ; 0x50
17463e: 9f13 ldr r7, [sp, #76] ; 0x4c
174640: 9e12 ldr r6, [sp, #72] ; 0x48
174642: 9d11 ldr r5, [sp, #68] ; 0x44
174644: 9c10 ldr r4, [sp, #64] ; 0x40
174646: f8dd e03c ldr.w lr, [sp, #60] ; 0x3c
17464a: b01a add sp, #104 ; 0x68
17464c: 4708 bx r1
17464e: bf00 nop
Unfortunately crash backtrace seems a little bit strange:
(on DRT fast/js/JSON-parse-reviver.html)
Program received signal SIGSEGV, Segmentation fault.
0xaf49fc38 in ?? ()
(gdb) bt
#0 0xaf49fc38 in ?? ()
#1 0xaf49fc38 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
On run-javascriptcore-tests there isn't any crash, but simple fails,
I'll attach the actual.html, it might help.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list