124361 – REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub

Bug 124361 - REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub

Summary: REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJav...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Other Windows 7

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:

Depends on:
Blocks:	116888
	Show dependency tree / graph

Reported:	2013-11-14 08:52 PST by Michael Saboff
Modified:	2013-11-14 10:11 PST (History)
CC List:	0 users

See Also:

Attachments
Patch (1.12 KB, patch) 2013-11-14 09:01 PST, Michael Saboff	oliver: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2013-11-14 08:52:35 PST

In the inline assembly stub for MSVC X86_64, there is an error in the instruction to save RBP:
      push rbp
=>  mov rbp, rax ; Save previous frame pointer
      mov rbp, rsp

MS inline assembly is Intel format (i.e. <opcode> <dest>, <src>, ...)  The rbp and tax need to be swapped.

Comment 1 Michael Saboff 2013-11-14 09:01:18 PST

Created attachment 216944 [details]
Patch

Comment 2 Michael Saboff 2013-11-14 10:11:15 PST

Committed r159290: <http://trac.webkit.org/changeset/159290>