Bug 125694 - jsCStack:REGRESSION: "print(“My object: “ + { });” crashes LLINT in op_call
Summary: jsCStack:REGRESSION: "print(“My object: “ + { });” crashes LLINT in op_call
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-13 09:47 PST by Mark Lam
Modified: 2013-12-13 13:33 PST (History)
5 users (show)

See Also:

Attachments
Patch (2.95 KB, patch)
2013-12-13 13:23 PST, Michael Saboff 		fpizlo: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2013-12-13 09:47:09 PST 
Somewhere between r160506 and r160522, the following statement will crash the LLINT in op_call:

    print(“My object: “ + { });

The following statements do NOT crash the LLINT:

    print(“My object: “ + 1);

    print(“My object: “ + “stuff”);

    “My object: “ + { };

The following also crashes the LLINT:

    var b = “My object: “ + { };
    print(b);
Comment 1 Michael Saboff 2013-12-13 13:23:42 PST 
Created attachment 219192 [details]
Patch
Comment 2 Filip Pizlo 2013-12-13 13:28:07 PST 
Comment on attachment 219192 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=219192&action=review

> Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp:47
> -    // FIXME: CStack - Align the combination of sentinel frame + callee frame
> -    // Maybe this should be in callToJavaScript.
> -    if (!(paddedArgsCount & 1))
> -        paddedArgsCount++;
> +    // Round up paddedArgsCount to keep the stack frame size aligned.
> +    paddedArgsCount = WTF::roundUpToMultipleOf<2>(paddedArgsCount);

Use stackAlignmentRegisters().
Comment 3 Michael Saboff 2013-12-13 13:33:53 PST 
Committed r160562: <http://trac.webkit.org/changeset/160562>