[Webkit-unassigned] [Bug 164351] New: JSC is crashing on release mode when running exit-from-setter.js when compiled with MSVC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 2 16:57:56 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=164351

            Bug ID: 164351
           Summary: JSC is crashing on release mode when running
                    exit-from-setter.js when compiled with MSVC
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Christopher.reid at sony.com

The RSI register is getting corrupted when exiting from the jsc vm. In MSVC this register is a nonvolatile register and used to store the scope address.

Here's what's going on:

Generated JIT code for Access stub for foo#ECI8tQ:[00000248F1BCC310->00000248F1B878A0, BaselineFunctionCall, 52 (NeverInline)] bc#24 with return point CodePtr(00000248B17F1859): Setter:(Generated, structure = 00000248F1B9C460:[Object, {_f:0, f:1}, NonArray, Proto:00000248F1B4C0A0, Leaf], offset = 1, callLinkInfo = 00000248F1B6F9C0):
    Code at [00000248B17F1EA0, 00000248B17F1F40):
          ...
          0xb17f1eb0: sub $0x10, %rsp
          0xb17f1eb4: mov %rsi, (%rsp)
          0xb17f1eb8: mov %rdi, 0x8(%rsp)
          0xb17f1ebd: mov $0x18, 0x24(%rbp)
          0xb17f1ec4: mov 0x18(%r8), %r8
          0xb17f1ec8: test %r8, %r8
          0xb17f1ecb: jz 0x248b17f1f20
          0xb17f1ed1: sub $0x30, %rsp
          ...
>         0xb17f1f20: lea -0xa0(%rbp), %rsp
          0xb17f1f27: mov (%rsp), %rsi
          0xb17f1f2b: mov 0x8(%rsp), %rdi
          0xb17f1f30: add $0x10, %rsp
          ...

The generated access stub always assumes that RSP is set up to be a constant offset from RBP. This code works fine when run by baseline JIT but not when called by DFG JIT.

Generated Baseline JIT code for foo#ECI8tQ:[00000248F1BCC310->00000248F1B878A0, BaselineFunctionCall, 52 (NeverInline)], instruction count = 52
   Source: function foo(o_, v_) { var o = o_.f; var v = v_.f; o.f = v; o.f = v + 1; }
   Code at [00000248B17F15E0, 00000248B17F1E8B):
              0xb17f15e0: nop
              0xb17f15e1: push %rbp
              0xb17f15e2: mov %rsp, %rbp
              ...
>             0xb17f161d: lea -0x90(%rbp), %rdx
              ...
              0xb17f1637: mov %rdx, %rsp
              ...

Generated DFG JIT code for foo#ECI8tQ:[00000248F1BCCCD0->00000248F1BCC310->00000248F1B878A0, DFGFunctionCall, 52 (NeverInline)], instruction count = 52:
    Optimized with execution counter = 2550.045166/2547.000000, 3
    Code at [00000248B17F2FE0, 00000248B17F3561):
              0xb17f2fe0: push %rbp
              0xb17f2fe1: mov %rsp, %rbp
              ...
>             0xb17f300c: lea -0xb0(%rbp), %rsp
              ...

When the access stub is called by DFG JIT code, the RSP offset from RBP is different causing it to restore the wrong values in to RSI.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161102/46b2601a/attachment.html>

More information about the webkit-unassigned mailing list