Bug 125694

Summary: jsCStack:REGRESSION: "print(“My object: “ + { });” crashes LLINT in op_call
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mhahnenberg, msaboff, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Mark Lam
Reported 2013-12-13 09:47:09 PST
Somewhere between r160506 and r160522, the following statement will crash the LLINT in op_call: print(“My object: “ + { }); The following statements do NOT crash the LLINT: print(“My object: “ + 1); print(“My object: “ + “stuff”); “My object: “ + { }; The following also crashes the LLINT: var b = “My object: “ + { }; print(b);
Attachments
Patch (2.95 KB, patch)
2013-12-13 13:23 PST, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-12-13 13:23:42 PST
Created attachment 219192 [details] Patch
Filip Pizlo
Comment 2 2013-12-13 13:28:07 PST
Comment on attachment 219192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=219192&action=review > Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp:47 > - // FIXME: CStack - Align the combination of sentinel frame + callee frame > - // Maybe this should be in callToJavaScript. > - if (!(paddedArgsCount & 1)) > - paddedArgsCount++; > + // Round up paddedArgsCount to keep the stack frame size aligned. > + paddedArgsCount = WTF::roundUpToMultipleOf<2>(paddedArgsCount); Use stackAlignmentRegisters().
Michael Saboff
Comment 3 2013-12-13 13:33:53 PST
Committed r160562: <http://trac.webkit.org/changeset/160562>
Note You need to log in before you can comment on or make changes to this bug.