[Webkit-unassigned] [Bug 164351] JSC is crashing on release mode when running exit-from-setter.js when compiled with MSVC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 30 13:19:21 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=164351

Filip Pizlo <fpizlo at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #295747|                            |review-
              Flags|                            |

--- Comment #4 from Filip Pizlo <fpizlo at apple.com> ---
Comment on attachment 295747
  --> https://bugs.webkit.org/attachment.cgi?id=295747
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=295747&action=review

Please investigate why the stack pointer was not set correctly in the first place.

> Source/JavaScriptCore/ChangeLog:13
> +        What appears to have been going on was that an inline multiplication is attempted to be done in
> +        DFG jit which overflows and returns to baseline jit where the access stub is later called.
> +        When the access stub is called, the stack pointer hasn't been set up properly so that when it
> +        is restored with lea -0xXX(%rbp), %rsp, the stack pointer becomes misaligned and

An intended invariant of JSC is that the stack pointer is set correctly at every baseline JIT bytecode instruction boundary.  This implies that the bug here is that the DFG JIT is not setting the stack pointer to the appropriate height.

> Source/JavaScriptCore/ChangeLog:17
> +        There doesn't seem to be a place where the stack pointer is supposed to be set up before this
> +        call. This change sets up the stack pointer before saves based on what is expected in
> +        PolymorphicAccess.cpp:1104

There is such a place.  What you are describing sounds like a fundamental OSR exit bug, and your fix is a very weak workaround at best.  Many more things depend on the stack pointer being set right, not just PolymorphicAccess.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161130/ebc25350/attachment.html>

More information about the webkit-unassigned mailing list