[Webkit-unassigned] [Bug 137955] Crashes in WinCairo 64-bit
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 2 11:33:40 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=137955
--- Comment #1 from Michael Saboff <msaboff at apple.com> ---
The disassembly that you listed does look like JIT'ed code, due to comparing with r15, the use of r11 as a temp register, the move 0 into r11, comparing r11 to rdx. The sequence
0000000020961100 mov r11,0
000000002096110A cmp rdx,r11
000000002096110D jne 0000000020961126
is probably emitted by a call to branchPtrWithPatch().
Looking at the whole sequence, it looks like it was emitted by SpeculativeJIT::emitCall(). What is curious is that the value moved into r11 at
0000000020961100 mov r11,0
and the call target at
000000002096111C call 0000000020961121
have not been "linked" to real call target values. I think that is the bug here, we are calling a function but haven't been linked to that function.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141202/07ac1a07/attachment-0002.html>
More information about the webkit-unassigned
mailing list