[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=119140





--- Comment #12 from Michael Saboff <msaboff at apple.com>  2013-07-31 12:17:26 PST ---
(In reply to comment #9)
> (In reply to comment #5)
> > This is really weird as it implies a bogus call frame, but somehow on on 32_64, and only on gcc (i'm assuming) builds.
> 
> A bogus call frame is exactly what's happening.
> 
> In a breakpoint that's set on JSC::cti_vm_throw_slowpath, `info registers` in gdb shows that the actual and bogus callFrame parameter to the function is stored in the %edx register. If I modify the ctiVMThrowTrampolineSlowpath ASM to move the contents of the %edi register (which point to the correct JSC::CallFrame) into the %edx register, then breaking on JSC::cti_vm_throw_slowpath shows that the argument is now the correct one, and the function executes without a problem. The program crashes later in the JSC::jsCast assertion, due to these changes.
> 
> OTOH, breaking in JSC::cti_vm_throw_slowpath and manually setting callFrame to the correct pointer on every break makes the program work without problems. So yes, the problem is in the bogus call frame parameter of the JSC::cti_vm_throw_slowpath call.

ctiVMThrowTrampolineSlowpath moves the callFrame register (%edi) into %ecx, which should be the first argument register for functions with the "fastcall" attribute.  The JIT_STUB macro before the definition of cti_vm_throw_slowpath() should be setting fast call.  %edx is the second "fast call" parameter.

Can you verify that JIT_STUB resolves to __attribute__ ((fast call)).  Also provide the disassembly of the fist 15 or so instructions of cti_vm_throw_slowpath() so we can see where it is expecting the argument.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.