Bug 147561

Summary:

jsc-tailcall: Kraken/stanford-crypto-ccm crashes

Product:

WebKit

Reporter:

Basile Clement <basile_clement>

Component:

JavaScriptCore

Assignee:

Basile Clement <basile_clement>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

msaboff

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	msaboff: review+

Basile Clement

Reported 2015-08-03 09:43:00 PDT

That was an interesting one. When performing a tail call, we are stack-aligning the *top* of the caller frame instead of stack-aligning the *bottom* of that frame. This means that when we do a tail call with a different parity from the parity of the tail caller, we are overwriting part of the tail caller's caller locals. Patch forthcoming.

Attachments
Patch (8.61 KB, patch) 2015-08-03 11:09 PDT, Basile Clement	no flags	Details Formatted Diff Diff
Patch (7.17 KB, patch) 2015-08-03 13:54 PDT, Basile Clement	msaboff: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Basile Clement

Comment 1 2015-08-03 11:09:32 PDT

Created attachment 258082 [details] Patch

Basile Clement

Comment 2 2015-08-03 11:30:33 PDT

Let's actually implement a full fix.

Basile Clement

Comment 3 2015-08-03 13:54:51 PDT

Created attachment 258108 [details] Patch

Michael Saboff

Comment 4 2015-08-03 14:36:30 PDT

Comment on attachment 258108 [details] Patch r=me Do add the call varargs test as we discussed.

Basile Clement

Comment 5 2015-08-03 14:40:06 PDT

Commited in r187767 <http://trac.webkit.org/changeset/187767>.

Note You need to log in before you can comment on or make changes to this bug.