[Webkit-unassigned] [Bug 124409] [Win] JavaScript crashes on 64-bit with JIT enabled.

Fri Nov 15 11:10:59 PST 2013

https://bugs.webkit.org/show_bug.cgi?id=124409

--- Comment #4 from Michael Saboff <msaboff at apple.com>  2013-11-15 11:09:37 PST ---
(In reply to comment #3)
> (In reply to comment #2)
> > (From update of attachment 217049 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=217049&action=review
> > 
> > Thanks for the work.  Looking pretty good.  It needs a couple of changes.
> > In addition to what is noted inline, the value that we sub/add to sp in callToJavaScript / returnFromJavaScript need to be adjusted for the additional pushes of rbi/rdi and for the space needed to make calls out.  The value should be large enough for the space needed to call AND result in a 32 byte aligned SP.  I think that means the new value should be 38h.   In addition to changing 28h -> 38h, update the comment to include that the calling convention requires space for 4 Dwords.
> 
> Thanks for the feedback :)
> 
> I updated the value to 38h, and removed the other two calls, but then I get a crash in:
> 
> void JIT_OPERATION operationPutByIdNonStrictOptimize(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, StringImpl* uid)
> 
> I assume the 5. parameter here goes on the stack.
> 
> According to http://msdn.microsoft.com/en-us/library/ms235286.aspx, the stack should be aligned to 16 bytes, but I'm not sure what's correct?

I take it things worked with your earlier patch.  My math could be wrong on the 38h.  Certainly 38h though is large enough for up to 7 values.  Can you provide a stack trace for the crash and the faulting instruction?

IIRC, The 32 byte requirement is for spilling xmm registers.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.