Bug 126557

Summary:

CStack Branch: ARM64 Crash in llint_function_for_call_arity_check running 3d-raytrace.js

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	ggaren: review+

Description Michael Saboff 2014-01-06 18:13:33 PST

When running the sun spider test 3d-raytrace.js, we crash trying to validate the return PC in the frame after the frame was moved for arity in functionArityCheck()

    loadp CommonSlowPaths::ArityCheckData::returnPC[t1], t5
    loadp CommonSlowPaths::ArityCheckData::paddedStackSpace[t1], t0
    call t2
    if ASSERT_ENABLED
        loadp ReturnPC[cfr], t0
        loadp [t0], t0      <==== This fails due to a bad return PC value of 1.
    end

Comment 1 Michael Saboff 2014-01-06 18:20:02 PST

Created attachment 220479 [details]
Patch

Comment 2 Geoffrey Garen 2014-01-06 21:30:27 PST

Comment on attachment 220479 [details]
Patch

r=me

Would be nice to be able to assert that we match GPRInfo.

Comment 3 Michael Saboff 2014-01-06 22:06:12 PST

Committed r161407: <http://trac.webkit.org/changeset/161407>

Comment 4 Michael Saboff 2014-01-06 22:26:39 PST

(In reply to comment #2)
> (From update of attachment 220479 [details])
> r=me
> 
> Would be nice to be able to assert that we match GPRInfo.

I agree.  One thing we could do is modify the offline assembler to output some compile asserts before the inline assembly.