RESOLVED INVALID 55957
function arguments in load_var_args are shifted by one in the interpreter 
https://bugs.webkit.org/show_bug.cgi?id=55957
Summary function arguments in load_var_args are shifted by one in the interpreter
Landry Breuil
Reported 2011-03-08 12:03:46 PST
As found out by Todd Carson, function arguments are shifted by one on platforms not using JIT, here in our case OpenBSD/mips64el. In changeset 60392 (http://trac.webkit.org/changeset/60392/trunk/JavaScriptCore/interpreter/Interpreter.cpp), the following change was made around line 3050 : - argCount = (uint32_t)(callFrame->argumentCount()) - 1; + argCount = (uint32_t)(callFrame->argumentCount()); reverting it fixes the issue. (see http://www.openbsd.org/cgi-bin/cvsweb/ports/www/webkit/patches/patch-JavaScriptCore_interpreter_Interpreter_cpp?rev=1.1;content-type=text%2Fplain) However, in webkitgtk the following commit was made : http://gitorious.org/webkitgtk/stable/commit/f236c158708a2116a799174bd2722fd721e663c4 referencing https://bugs.webkit.org/show_bug.cgi?id=41351 which i can't access. So can someone confirm it's a webkit issue (mistakenly removing the -1 when commiting r60392 ?) or a webkitgtk only issue ?
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-03-08 15:19:43 PST
The Gtk commit looks quite suspicious indeed. The fix it was merging is r62456, but there are bits of r60392, too.
Geoffrey Garen
Comment 2 2011-03-17 17:44:59 PDT
Looks like a real bug to me.
Geoffrey Garen
Comment 3 2011-03-17 17:45:17 PDT
The JIT version of the same opcode uses "- 1".
Oliver Hunt
Comment 4 2011-03-17 17:59:24 PDT
Do you have a testcase for this -- as far as i can tell the behaviour is correct (at least in ToT), although there's an interpreter fix in r60720 which might have been missed?
Gavin Barraclough
Comment 5 2012-09-25 13:48:48 PDT
This code no longer exists in ToT.
Note You need to log in before you can comment on or make changes to this bug.