[Webkit-unassigned] [Bug 119140] REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 31 12:47:31 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119140
--- Comment #14 from Julien Brianceau <jbrianceau at nds.com> 2013-07-31 12:47:15 PST ---
(In reply to comment #12)
>
> ctiVMThrowTrampolineSlowpath moves the callFrame register (%edi) into %ecx, which should be the first argument register for functions with the "fastcall" attribute. The JIT_STUB macro before the definition of cti_vm_throw_slowpath() should be setting fast call. %edx is the second "fast call" parameter.
>
> Can you verify that JIT_STUB resolves to __attribute__ ((fast call)). Also provide the disassembly of the fist 15 or so instructions of cti_vm_throw_slowpath() so we can see where it is expecting the argument.
When I compile JITStubs.cpp with -S, I get this:
.globl cti_vm_throw_slowpath
.hidden cti_vm_throw_slowpath
.type cti_vm_throw_slowpath, @function
cti_vm_throw_slowpath:
pushl %ebp
movl %esp, %ebp
pushl %edi
pushl %esi
pushl %ebx
subl $60, %esp
call __i686.get_pc_thunk.bx
addl $_GLOBAL_OFFSET_TABLE_, %ebx
movl -8(%edx), %eax
movl 52(%eax), %eax
movl %edx, 18684(%eax)
movl 22340(%eax), %esi
movl 22344(%eax), %edi
movl %esi, 12(%esp)
movl %edi, 16(%esp)
movl %edx, 8(%esp)
movl %eax, 4(%esp)
movl %ecx, (%esp)
movl %ecx, -28(%ebp)
call _ZN3JSC11jitThrowNewEPNS_2VMEPNS_9ExecStateENS_7JSValueE at PLT
subl $4, %esp
movl -28(%ebp), %ecx
movl %ecx, %eax
leal -12(%ebp), %esp
popl %ebx
popl %esi
popl %edi
popl %ebp
ret
When I compile JITStubs.cpp with -E, I get this:
ExceptionHandler __attribute__ ((fastcall)) cti_vm_throw_slowpath(CallFrame*) __attribute__((used)) __attribute__((visibility("hidden")));
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list