[Webkit-unassigned] [Bug 124409] [Win] JavaScript crashes on 64-bit with JIT enabled.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 15 14:29:04 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=124409
--- Comment #9 from Michael Saboff <msaboff at apple.com> 2013-11-15 14:27:42 PST ---
(In reply to comment #8)
> I have probably misunderstood something, but below is the disassembly which calls operationPutByIdNonStrictOptimize; I thought we had to also adjust the stack pointer before this call, not only before the call in callToJavaScript?
>
> ...
> ...
> 00000000053D3E00 mov eax,edx
> 00000000053D3E02 mov r9,rax
> 00000000053D3E05 mov rdx,60E91B0h
> 00000000053D3E0F mov rcx,rbp
> 00000000053D3E12 mov dword ptr [rbp+2Ch],1Eh
> 00000000053D3E19 mov r11,1C0AD80h
> 00000000053D3E23 mov qword ptr [r11],rbp
> 00000000053D3E26 mov r11,2CE1100h
> 00000000053D3E30 call r11 < calls operationPutByIdNonStrictOptimize
We shouldn't have to because the stack pointer shouldn't be changed by LLInt or JIT code. From the register dump, rbx is garbage. Could you provide more disassembly for the caller? I'm looking for where arg 5 is put on the stack.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list