Bug 55957
| Summary: | function arguments in load_var_args are shifted by one in the interpreter | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Landry Breuil <landry> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | barraclough, ddkilzer, ggaren, gustavo, oliver |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Other | ||
| OS: | Other | ||
Landry Breuil
As found out by Todd Carson, function arguments are shifted by one on platforms not using JIT, here in our case OpenBSD/mips64el.
In changeset 60392 (http://trac.webkit.org/changeset/60392/trunk/JavaScriptCore/interpreter/Interpreter.cpp),
the following change was made around line 3050 :
- argCount = (uint32_t)(callFrame->argumentCount()) - 1;
+ argCount = (uint32_t)(callFrame->argumentCount());
reverting it fixes the issue. (see http://www.openbsd.org/cgi-bin/cvsweb/ports/www/webkit/patches/patch-JavaScriptCore_interpreter_Interpreter_cpp?rev=1.1;content-type=text%2Fplain)
However, in webkitgtk the following commit was made :
http://gitorious.org/webkitgtk/stable/commit/f236c158708a2116a799174bd2722fd721e663c4 referencing https://bugs.webkit.org/show_bug.cgi?id=41351 which i can't access.
So can someone confirm it's a webkit issue (mistakenly removing the -1 when commiting r60392 ?) or a webkitgtk only issue ?
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
The Gtk commit looks quite suspicious indeed. The fix it was merging is r62456, but there are bits of r60392, too.
Geoffrey Garen
Looks like a real bug to me.
Geoffrey Garen
The JIT version of the same opcode uses "- 1".
Oliver Hunt
Do you have a testcase for this -- as far as i can tell the behaviour is correct (at least in ToT), although there's an interpreter fix in r60720 which might have been missed?
Gavin Barraclough
This code no longer exists in ToT.