[Webkit-unassigned] [Bug 119140] REGRESSION: There are zillion crashes after FTL merge on 32 bit platforms
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 31 00:34:11 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #9 from Zan Dobersek <zandobersek at gmail.com> 2013-07-31 00:33:56 PST ---
(In reply to comment #5)
> This is really weird as it implies a bogus call frame, but somehow on on 32_64, and only on gcc (i'm assuming) builds.
A bogus call frame is exactly what's happening.
In a breakpoint that's set on JSC::cti_vm_throw_slowpath, `info registers` in gdb shows that the actual and bogus callFrame parameter to the function is stored in the %edx register. If I modify the ctiVMThrowTrampolineSlowpath ASM to move the contents of the %edi register (which point to the correct JSC::CallFrame) into the %edx register, then breaking on JSC::cti_vm_throw_slowpath shows that the argument is now the correct one, and the function executes without a problem. The program crashes later in the JSC::jsCast assertion, due to these changes.
OTOH, breaking in JSC::cti_vm_throw_slowpath and manually setting callFrame to the correct pointer on every break makes the program work without problems. So yes, the problem is in the bogus call frame parameter of the JSC::cti_vm_throw_slowpath call.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list