[Webkit-unassigned] [Bug 124409] New: [Win] JavaScript crashes on 64-bit with JIT enabled.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 15 06:54:16 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=124409
Summary: [Win] JavaScript crashes on 64-bit with JIT enabled.
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: peavo at outlook.com
I'm currently getting several different crashes when running WinCairo with JIT enabled on 64-bit.
I've found the following issues:
The saving of the frame pointer in callToJavaScript in JITStubsMSVC64.asm is wrong.
The move instruction has flipped the arguments, compared to the GCC version.
The registers rsi and rdi in callToJavaScript needs to be saved and restored.
This is required by the Windows 64-bit ABI. The caller stores local variables in them,
and if not saved and restored, we crash when returning to the caller.
The getHostCallReturnValue function needs to be updated according to it's GCC counterpart.
The methods JIT::appendCallWithExceptionCheck, and JIT::appendCallWithCallFrameRollbackOnException needs
to allocate stack space for the 4 argument registers, as required by the Windows 64-bit ABI.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list