Bug 126557

Summary: CStack Branch: ARM64 Crash in llint_function_for_call_arity_check running 3d-raytrace.js
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2014-01-06 18:13:33 PST
When running the sun spider test 3d-raytrace.js, we crash trying to validate the return PC in the frame after the frame was moved for arity in functionArityCheck() loadp CommonSlowPaths::ArityCheckData::returnPC[t1], t5 loadp CommonSlowPaths::ArityCheckData::paddedStackSpace[t1], t0 call t2 if ASSERT_ENABLED loadp ReturnPC[cfr], t0 loadp [t0], t0 <==== This fails due to a bad return PC value of 1. end
Attachments
Patch (2.11 KB, patch)
2014-01-06 18:20 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-01-06 18:20:02 PST
Created attachment 220479 [details] Patch
Geoffrey Garen
Comment 2 2014-01-06 21:30:27 PST
Comment on attachment 220479 [details] Patch r=me Would be nice to be able to assert that we match GPRInfo.
Michael Saboff
Comment 3 2014-01-06 22:06:12 PST
Committed r161407: <http://trac.webkit.org/changeset/161407>
Michael Saboff
Comment 4 2014-01-06 22:26:39 PST
(In reply to comment #2) > (From update of attachment 220479 [details]) > r=me > > Would be nice to be able to assert that we match GPRInfo. I agree. One thing we could do is modify the offline assembler to output some compile asserts before the inline assembly.
Note You need to log in before you can comment on or make changes to this bug.