[Webkit-unassigned] [Bug 124675] [Win] JavaScript JIT crash (with DFG enabled).

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 20 16:02:52 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=124675





--- Comment #5 from Michael Saboff <msaboff at apple.com>  2013-11-20 16:01:24 PST ---
(In reply to comment #0)
> I'm currently getting a reproducible crash in JIT code with DFG enabled.
> The crash is an access reading violation. 
> 
> The offending instruction is shown in the disassembly below:
> 
> 058F204B  jmp         05501EA3  
> 058F2050  mov         esi,eax  
> 058F2052  mov         eax,0FFFFFFFBh      < The value assigned to eax causing the access violation is set here, I think.
> 058F2057  mov         ebx,5501EA3h  
> 058F205C  push        ebx  
> 058F205D  jmp         058F2080  
The code above is generated by linkClosureCall():
…
    AssemblyHelpers::Jump done = stubJit.jump();

    slowPath.link(&stubJit);
    stubJit.move(calleeGPR, GPRInfo::nonArgGPR0);
#if USE(JSVALUE32_64)
    stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1);
#endif
    stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2);
    stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2);
    AssemblyHelpers::Jump slow = stubJit.jump();
..



> 058F2062  add         byte ptr [eax],al  
> 058F2064  add         byte ptr [eax],al  
> 058F2066  add         byte ptr [eax],al  
> 058F2068  add         byte ptr [eax],al  
> 058F206A  add         byte ptr [eax],al  
> 058F206C  add         byte ptr [eax],al  
> 058F206E  add         byte ptr [eax],al  
> 058F2070  add         byte ptr [eax],al  
> 058F2072  add         byte ptr [eax],al  
> 058F2074  add         byte ptr [eax],al  
> 058F2076  add         byte ptr [eax],al  
> 058F2078  add         byte ptr [eax],al  
> 058F207A  add         byte ptr [eax],al  
> 058F207C  add         byte ptr [eax],al  
> 058F207E  add         byte ptr [eax],al  
> 058F2080  cmp         edx,0FFFFFFFBh  
> 058F2083  jne         058F20B7  
> 058F2089  mov         ebx,dword ptr [eax]  < Crash, access reading violation 0FFFFFFFBh
This code is generated by virtualForThunkGenerator()
#if USE(JSVALUE64)
    slowCase.append(
        jit.branchTest64(
            CCallHelpers::NonZero, GPRInfo::regT0, GPRInfo::tagMaskRegister));
#else
    slowCase.append(
        jit.branch32(
            CCallHelpers::NotEqual, GPRInfo::regT1,
            CCallHelpers::TrustedImm32(JSValue::CellTag)));
#endif
    jit.loadPtr(CCallHelpers::Address(GPRInfo::regT0, JSCell::structureOffset()), GPRInfo::nonArgGPR2);
    slowCase.append(
        jit.branchPtr(
            CCallHelpers::NotEqual,
            CCallHelpers::Address(GPRInfo::nonArgGPR2, Structure::classInfoOffset()),
            CCallHelpers::TrustedImmPtr(JSFunction::info())));

The fix is to change nonArgGPR0 and nonArgGPR1 to be regT0 and regT1 respectively in linkClosureCall().

Patch in progress.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list