[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 31 14:35:06 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119140





--- Comment #15 from Zan Dobersek <zandobersek at gmail.com>  2013-07-31 14:34:49 PST ---
(In reply to comment #14)
> (In reply to comment #12)
> When I compile JITStubs.cpp with -E, I get this:
> 
> ExceptionHandler __attribute__ ((fastcall)) cti_vm_throw_slowpath(CallFrame*) __attribute__((used)) __attribute__((visibility("hidden")));

Same on x86 with GCC.

Here's assembly related to cti_vm_throw_slowpath. Thanks for looking into this!

    .globl ctiVMThrowTrampolineSlowpath
.hidden ctiVMThrowTrampolineSlowpath
ctiVMThrowTrampolineSlowpath:
movl %edi, %ecx
call cti_vm_throw_slowpath
jmp *%edx

...

    .globl    cti_vm_throw_slowpath
    .hidden    cti_vm_throw_slowpath
    .type    cti_vm_throw_slowpath, @function
cti_vm_throw_slowpath:
.LFB11958:
    .loc 113 2165 0
    .cfi_startproc
    pushl    %ebp
.LCFI2232:
    .cfi_def_cfa_offset 8
    .cfi_offset 5, -8
    movl    %esp, %ebp
.LCFI2233:
    .cfi_def_cfa_register 5
    pushl    %ebx
    subl    $68, %esp
    .cfi_offset 3, -12
    call    __x86.get_pc_thunk.bx
    addl    $_GLOBAL_OFFSET_TABLE_, %ebx
    movl    %ecx, -28(%ebp)
    movl    %edx, -32(%ebp)
.LBB485:
    .loc 113 2166 0
    movl    -32(%ebp), %eax
    movl    %eax, (%esp)
    call    _ZNK3JSC9ExecState9codeBlockEv at PLT
    movl    %eax, (%esp)
    call    _ZN3JSC9CodeBlock2vmEv at PLT
    movl    %eax, -12(%ebp)
    .loc 113 2167 0
    movl    -12(%ebp), %eax
    movl    -32(%ebp), %edx
    movl    %edx, 18788(%eax)
    .loc 113 2168 0
    movl    -28(%ebp), %ecx
    movl    -12(%ebp), %eax
    movl    22472(%eax), %edx
    movl    22468(%eax), %eax
    movl    %eax, 12(%esp)
    movl    %edx, 16(%esp)
    movl    -32(%ebp), %eax
    movl    %eax, 8(%esp)
    movl    -12(%ebp), %eax
    movl    %eax, 4(%esp)
    movl    %ecx, (%esp)
    call    _ZN3JSC11jitThrowNewEPNS_2VMEPNS_9ExecStateENS_7JSValueE at PLT
    subl    $4, %esp
.LBE485:
    .loc 113 2169 0
    movl    -28(%ebp), %eax
    movl    -4(%ebp), %ebx
    leave
.LCFI2234:
    .cfi_restore 5
    .cfi_restore 3
    .cfi_def_cfa 4, 4
    ret
    .cfi_endproc
.LFE11958:
    .size    cti_vm_throw_slowpath, .-cti_vm_throw_slowpath

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list