[Webkit-unassigned] [Bug 146629] [MIPS] webkitgtk crashed if JIT is enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 8 01:31:10 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=146629
--- Comment #6 from Jeffrey <Jeffrey.li at nagra.com> ---
(In reply to comment #4)
> (In reply to comment #3)
> > Guillaume, this look OK? You didn't run into this issue...?
>
> I did not run into this issue (yet?), maybe because I've mainly worked with
> jsc only (only compiling WTF/ and JavaScriptCore/).
> I am a little confused by the patch though. I understand that $gp is
> computed by the code of .cpload (emitted by offlineasm for each label),
> which uses $t9. I don't understand how this is different for
> llint_op_catch(), though I didn't study the exception code/protocol, and I
> have a feeling that this is not your regular function, and there might be
> something done with $ra that I did not understand.
>
> > (In reply to comment #1)
> > > Created attachment 256203 [details]
> > > test case for this issue.
> >
> > Great. This should probably be added as a testcase under LayoutTests/js.
The .cpload uses $ra register to compute the $gp value. The jumpToExceptionHandler() uses $t9 as jump register now. Then in llint_op_catch() function, $ra will get a incorrect value. This will cause the $gp value is incorrect too.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160908/f0e041dd/attachment.html>
More information about the webkit-unassigned
mailing list