[Webkit-unassigned] [Bug 124409] [Win] JavaScript crashes on 64-bit with JIT enabled.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 15 11:59:12 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=124409





--- Comment #5 from peavo at outlook.com  2013-11-15 11:57:50 PST ---
(In reply to comment #4)
> I take it things worked with your earlier patch.  My math could be wrong on the 38h.  Certainly 38h though is large enough for up to 7 values.  Can you provide a stack trace for the crash and the faulting instruction?
> 
> IIRC, The 32 byte requirement is for spilling xmm registers.

Yes, it worked with the previous patch. I had the exact same crash before, it was what made me add the SP subPtr/addPtr adjustments.

The faulting instruction is the last instruction in the disassembly:

void JIT_OPERATION operationPutByIdNonStrictOptimize(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, StringImpl* uid)
{
0000000002D01100  mov         qword ptr [rsp+18h],rbx  
0000000002D01105  push        rbp  
0000000002D01106  push        rsi  
0000000002D01107  push        rdi  
0000000002D01108  push        r12  
0000000002D0110A  push        r13  
0000000002D0110C  sub         rsp,50h  
    VM* vm = &exec->vm();
0000000002D01110  mov         rax,qword ptr [rcx+18h]  
    NativeCallFrameTracer tracer(vm, exec);

    Identifier ident(vm, uid);
0000000002D01114  mov         rbx,qword ptr [uid]  
0000000002D0111C  mov         rdi,rdx  
0000000002D0111F  and         rax,0FFFFFFFFFFFF0000h  
0000000002D01125  mov         rsi,r9  
0000000002D01128  mov         r13,r8  
0000000002D0112B  mov         rdx,qword ptr [rax+468h]  
0000000002D01132  mov         rbp,rcx  
0000000002D01135  mov         qword ptr [rdx+9DB0h],rcx  
0000000002D0113C  mov         eax,dword ptr [rbx+18h]  


Stacktrace of crash:

>	JavaScriptCore.dll!operationPutByIdNonStrictOptimize(JSC::ExecState * exec, JSC::StructureStubInfo * stubInfo, __int64 encodedValue, __int64 encodedBase, WTF::StringImpl * uid)  Line 300 + 0x28 bytes	C++
     0000000003d43e32()    
     0000000006035420()    
     000000000012ded8()    
     0000000005f2ff98()    
     JavaScriptCore.dll!JSC::getCallLinkInfoReturnLocation(JSC::CallLinkInfo * callLinkInfo)  Line 105    C++
     130a29aa8dcc1fb4()    
     0000000003c4f9b0()    
     0000e6c375e3872c()    
     000000000012ded8()    
     0000000005f2ff98()    
     0000000005f2ff98()    
     00000000ffffffff()    
     000000000012f288()    
     0000000003c4f9b0()    
     0000000001c40e68()    
     000000000012df30()    
     JavaScriptCore.dll!JSC::JITCode::execute(JSC::JSStack * stack, JSC::ExecState * callFrame, JSC::VM * vm)  Line 49 + 0x19 bytes    C++
     JavaScriptCore.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program, JSC::ExecState * callFrame, JSC::JSObject * thisObj)  Line 883 + 0x28 bytes    C++
     JavaScriptCore.dll!JSC::evaluate(JSC::ExecState * exec, const JSC::SourceCode & source, JSC::JSValue thisValue, JSC::JSValue * returnedException)  Line 85    C++
     WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world)  Line 145 + 0x41 bytes    C++
     WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode)  Line 162    C++
     WebKit.dll!WebCore::ScriptElement::executeScript(const WebCore::ScriptSourceCode & sourceCode)  Line 310 + 0x14 bytes    C++
     WebKit.dll!WebCore::ScriptElement::prepareScript(const WTF::TextPosition & scriptStartPosition, WebCore::ScriptElement::LegacyTypeSupport supportLegacyTypes)  Line 241 + 0x3d bytes    C++
     WebKit.dll!WebCore::HTMLScriptRunner::runScript(WebCore::Element * script, const WTF::TextPosition & scriptStartPosition)  Line 304    C++
     WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element> * scriptElement, const WTF::TextPosition & scriptStartPosition)  Line 177    C++
     WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()  Line 264    C++
     WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode)  Line 527 + 0x41 bytes    C++
     WebKit.dll!WebCore::HTMLDocumentParser::resumeParsingAfterYield()  Line 252    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 130    C++
     WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam)  Line 111    C++

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list