[Webkit-unassigned] [Bug 136436] REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 1 15:47:22 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=136436
--- Comment #5 from Julien Brianceau <jbriance at cisco.com> 2014-09-01 15:47:26 PST ---
(In reply to comment #4)
> Could you provide a disassembly of operationCallEval? That might help understanding why exec is overwritten. I'm just curious.
Sure. Here is the disassembly, taken from Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/jit/JITOperations.cpp.o file, in release mode with -g:
00003233 <operationCallEval>:
EncodedJSValue JIT_OPERATION operationCallEval(ExecState* exec, ExecState* execCallee)
{
3233: 55 push %ebp
3234: 89 e5 mov %esp,%ebp
3236: 53 push %ebx
3237: 83 ec 34 sub $0x34,%esp
323a: e8 fc ff ff ff call 323b <operationCallEval+0x8>
323f: 81 c3 02 00 00 00 add $0x2,%ebx
ASSERT(exec->codeBlock()->codeType() != FunctionCode
3245: 8b 45 08 mov 0x8(%ebp),%eax
3248: 89 04 24 mov %eax,(%esp)
324b: e8 fc ff ff ff call 324c <operationCallEval+0x19>
3250: 89 04 24 mov %eax,(%esp)
3253: e8 fc ff ff ff call 3254 <operationCallEval+0x21>
|| !exec->codeBlock()->needsActivation()
|| exec->hasActivation());
3258: 83 f8 02 cmp $0x2,%eax
325b: 75 58 jne 32b5 <operationCallEval+0x82>
directPutByVal(exec, asObject(baseValue), subscript, value);
}
EncodedJSValue JIT_OPERATION operationCallEval(ExecState* exec, ExecState* execCallee)
{
ASSERT(exec->codeBlock()->codeType() != FunctionCode
325d: 8b 45 08 mov 0x8(%ebp),%eax
3260: 89 04 24 mov %eax,(%esp)
3263: e8 fc ff ff ff call 3264 <operationCallEval+0x31>
3268: 89 04 24 mov %eax,(%esp)
326b: e8 fc ff ff ff call 326c <operationCallEval+0x39>
3270: 84 c0 test %al,%al
3272: 74 41 je 32b5 <operationCallEval+0x82>
3274: 8b 45 08 mov 0x8(%ebp),%eax
3277: 89 04 24 mov %eax,(%esp)
327a: e8 fc ff ff ff call 327b <operationCallEval+0x48>
327f: 83 f0 01 xor $0x1,%eax
3282: 84 c0 test %al,%al
3284: 74 2f je 32b5 <operationCallEval+0x82>
3286: 8d 83 c0 21 00 00 lea 0x21c0(%ebx),%eax
328c: 89 44 24 0c mov %eax,0xc(%esp)
3290: 8d 83 00 c0 00 00 lea 0xc000(%ebx),%eax
3296: 89 44 24 08 mov %eax,0x8(%esp)
329a: c7 44 24 04 62 02 00 movl $0x262,0x4(%esp)
32a1: 00
32a2: 8d 83 90 20 00 00 lea 0x2090(%ebx),%eax
32a8: 89 04 24 mov %eax,(%esp)
32ab: e8 fc ff ff ff call 32ac <operationCallEval+0x79>
32b0: e8 fc ff ff ff call 32b1 <operationCallEval+0x7e>
|| !exec->codeBlock()->needsActivation()
|| exec->hasActivation());
execCallee->setScope(exec->scope());
32b5: 8b 45 08 mov 0x8(%ebp),%eax
32b8: 89 04 24 mov %eax,(%esp)
32bb: e8 fc ff ff ff call 32bc <operationCallEval+0x89>
32c0: 89 44 24 04 mov %eax,0x4(%esp)
32c4: 8b 45 0c mov 0xc(%ebp),%eax
32c7: 89 04 24 mov %eax,(%esp)
32ca: e8 fc ff ff ff call 32cb <operationCallEval+0x98>
execCallee->setCodeBlock(0);
32cf: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
32d6: 00
32d7: 8b 45 0c mov 0xc(%ebp),%eax
32da: 89 04 24 mov %eax,(%esp)
32dd: e8 fc ff ff ff call 32de <operationCallEval+0xab>
execCallee->setCallerFrame(exec);
32e2: 8b 45 08 mov 0x8(%ebp),%eax
32e5: 89 44 24 04 mov %eax,0x4(%esp)
32e9: 8b 45 0c mov 0xc(%ebp),%eax
32ec: 89 04 24 mov %eax,(%esp)
32ef: e8 fc ff ff ff call 32f0 <operationCallEval+0xbd>
if (!isHostFunction(execCallee->calleeAsValue(), globalFuncEval))
32f4: 8d 45 f0 lea -0x10(%ebp),%eax
32f7: 8b 55 0c mov 0xc(%ebp),%edx
32fa: 89 54 24 04 mov %edx,0x4(%esp)
32fe: 89 04 24 mov %eax,(%esp)
3301: e8 fc ff ff ff call 3302 <operationCallEval+0xcf>
[...]
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list