<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - JSC is crashing on release mode when running exit-from-setter.js when compiled with MSVC"
href="https://bugs.webkit.org/show_bug.cgi?id=164351">164351</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>JSC is crashing on release mode when running exit-from-setter.js when compiled with MSVC
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>Christopher.reid@sony.com
</td>
</tr></table>
<p>
<div>
<pre>The RSI register is getting corrupted when exiting from the jsc vm. In MSVC this register is a nonvolatile register and used to store the scope address.
Here's what's going on:
Generated JIT code for Access stub for foo#ECI8tQ:[00000248F1BCC310->00000248F1B878A0, BaselineFunctionCall, 52 (NeverInline)] bc#24 with return point CodePtr(00000248B17F1859): Setter:(Generated, structure = 00000248F1B9C460:[Object, {_f:0, f:1}, NonArray, Proto:00000248F1B4C0A0, Leaf], offset = 1, callLinkInfo = 00000248F1B6F9C0):
Code at [00000248B17F1EA0, 00000248B17F1F40):
...
0xb17f1eb0: sub $0x10, %rsp
0xb17f1eb4: mov %rsi, (%rsp)
0xb17f1eb8: mov %rdi, 0x8(%rsp)
0xb17f1ebd: mov $0x18, 0x24(%rbp)
0xb17f1ec4: mov 0x18(%r8), %r8
0xb17f1ec8: test %r8, %r8
0xb17f1ecb: jz 0x248b17f1f20
0xb17f1ed1: sub $0x30, %rsp
...
<span class="quote">> 0xb17f1f20: lea -0xa0(%rbp), %rsp</span >
0xb17f1f27: mov (%rsp), %rsi
0xb17f1f2b: mov 0x8(%rsp), %rdi
0xb17f1f30: add $0x10, %rsp
...
The generated access stub always assumes that RSP is set up to be a constant offset from RBP. This code works fine when run by baseline JIT but not when called by DFG JIT.
Generated Baseline JIT code for foo#ECI8tQ:[00000248F1BCC310->00000248F1B878A0, BaselineFunctionCall, 52 (NeverInline)], instruction count = 52
Source: function foo(o_, v_) { var o = o_.f; var v = v_.f; o.f = v; o.f = v + 1; }
Code at [00000248B17F15E0, 00000248B17F1E8B):
0xb17f15e0: nop
0xb17f15e1: push %rbp
0xb17f15e2: mov %rsp, %rbp
...
<span class="quote">> 0xb17f161d: lea -0x90(%rbp), %rdx</span >
...
0xb17f1637: mov %rdx, %rsp
...
Generated DFG JIT code for foo#ECI8tQ:[00000248F1BCCCD0->00000248F1BCC310->00000248F1B878A0, DFGFunctionCall, 52 (NeverInline)], instruction count = 52:
Optimized with execution counter = 2550.045166/2547.000000, 3
Code at [00000248B17F2FE0, 00000248B17F3561):
0xb17f2fe0: push %rbp
0xb17f2fe1: mov %rsp, %rbp
...
<span class="quote">> 0xb17f300c: lea -0xb0(%rbp), %rsp</span >
...
When the access stub is called by DFG JIT code, the RSP offset from RBP is different causing it to restore the wrong values in to RSI.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>