88438 2012-06-06 11:41:39 -0700 Setting scratch buffer usage in osrExitGenerationThunkGenerator trashes arg0 on ARM 2012-06-06 12:01:22 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All Unspecified RESOLVED DUPLICATE 87307 P2 Major --- 1 msaboff msaboff oldest_to_newest 642650 0 msaboff 2012-06-06 11:41:39 -0700 In osrExitGenerationThunkGenerator(), after setting up arg0, we store the active length of the scratch register. We use regT0 to set the size, but regT0 is also argumentGPR0 on ARM. .. // Set up one argument. #if CPU(X86) jit.poke(GPRInfo::callFrameRegister, 0); #else jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0); #endif // Tell GC mark phase how much of the scratch buffer is active during call. jit.move(MacroAssembler::TrustedImmPtr(scratchBuffer->activeLengthPtr()), GPRInfo::regT0); <== This wil trash arg0 jit.storePtr(MacroAssembler::TrustedImmPtr(scratchSize), GPRInfo::regT0); MacroAssembler::Call functionCall = jit.call(); ... The fix is to move the storing of the active scratch buffer length to before setting up arg0. A visual inspection of the other locations in the code where we set the scratch buffer active length appear safe. either because we use an allocated register or because regT0 is available. 642673 1 msaboff 2012-06-06 12:01:22 -0700 *** This bug has been marked as a duplicate of bug 87307 ***