Bug 147561

Summary: jsc-tailcall: Kraken/stanford-crypto-ccm crashes
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: JavaScriptCoreAssignee: Basile Clement <basile_clement>
Status: RESOLVED FIXED    
Severity: Normal CC: msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch msaboff: review+

Description Basile Clement 2015-08-03 09:43:00 PDT 
That was an interesting one. When performing a tail call, we are stack-aligning the *top* of the caller frame instead of stack-aligning the *bottom* of that frame. This means that when we do a tail call with a different parity from the parity of the tail caller, we are overwriting part of the tail caller's caller locals. Patch forthcoming.
Comment 1 Basile Clement 2015-08-03 11:09:32 PDT 
Created attachment 258082 [details]
Patch
Comment 2 Basile Clement 2015-08-03 11:30:33 PDT 
Let's actually implement a full fix.
Comment 3 Basile Clement 2015-08-03 13:54:51 PDT 
Created attachment 258108 [details]
Patch
Comment 4 Michael Saboff 2015-08-03 14:36:30 PDT 
Comment on attachment 258108 [details]
Patch

r=me
Do add the call varargs test as we discussed.
Comment 5 Basile Clement 2015-08-03 14:40:06 PDT 
Commited in r187767 <http://trac.webkit.org/changeset/187767>.