RESOLVED FIXED 125694
jsCStack:REGRESSION: "print(“My object: “ + { });” crashes LLINT in op_call 
https://bugs.webkit.org/show_bug.cgi?id=125694
Summary jsCStack:REGRESSION: "print(“My object: “ + { });” crashes LLINT in op_call
Mark Lam
Reported 2013-12-13 09:47:09 PST
Somewhere between r160506 and r160522, the following statement will crash the LLINT in op_call: print(“My object: “ + { }); The following statements do NOT crash the LLINT: print(“My object: “ + 1); print(“My object: “ + “stuff”); “My object: “ + { }; The following also crashes the LLINT: var b = “My object: “ + { }; print(b);
Attachments
Patch (2.95 KB, patch)
2013-12-13 13:23 PST, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-12-13 13:23:42 PST
Created attachment 219192 [details] Patch
Filip Pizlo
Comment 2 2013-12-13 13:28:07 PST
Comment on attachment 219192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=219192&action=review > Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp:47 > - // FIXME: CStack - Align the combination of sentinel frame + callee frame > - // Maybe this should be in callToJavaScript. > - if (!(paddedArgsCount & 1)) > - paddedArgsCount++; > + // Round up paddedArgsCount to keep the stack frame size aligned. > + paddedArgsCount = WTF::roundUpToMultipleOf<2>(paddedArgsCount); Use stackAlignmentRegisters().
Michael Saboff
Comment 3 2013-12-13 13:33:53 PST
Committed r160562: <http://trac.webkit.org/changeset/160562>
Note You need to log in before you can comment on or make changes to this bug.