Bug 126557 - CStack Branch: ARM64 Crash in llint_function_for_call_arity_check running 3d-raytrace.js
Summary: CStack Branch: ARM64 Crash in llint_function_for_call_arity_check running 3d-...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-06 18:13 PST by Michael Saboff
Modified: 2014-01-06 22:26 PST (History)
0 users

See Also:

Attachments
Patch (2.11 KB, patch)
2014-01-06 18:20 PST, Michael Saboff 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2014-01-06 18:13:33 PST 
When running the sun spider test 3d-raytrace.js, we crash trying to validate the return PC in the frame after the frame was moved for arity in functionArityCheck()

    loadp CommonSlowPaths::ArityCheckData::returnPC[t1], t5
    loadp CommonSlowPaths::ArityCheckData::paddedStackSpace[t1], t0
    call t2
    if ASSERT_ENABLED
        loadp ReturnPC[cfr], t0
        loadp [t0], t0      <==== This fails due to a bad return PC value of 1.
    end
Comment 1 Michael Saboff 2014-01-06 18:20:02 PST 
Created attachment 220479 [details]
Patch
Comment 2 Geoffrey Garen 2014-01-06 21:30:27 PST 
Comment on attachment 220479 [details]
Patch

r=me

Would be nice to be able to assert that we match GPRInfo.
Comment 3 Michael Saboff 2014-01-06 22:06:12 PST 
Committed r161407: <http://trac.webkit.org/changeset/161407>
Comment 4 Michael Saboff 2014-01-06 22:26:39 PST 
(In reply to comment #2)
> (From update of attachment 220479 [details])
> r=me
> 
> Would be nice to be able to assert that we match GPRInfo.

I agree.  One thing we could do is modify the offline assembler to output some compile asserts before the inline assembly.