I've tracked down a crash in our JIT port to a problem with the trampoline
generation.
The symptom of the crash is: the ScopeChain becomes corrupted and acquires the
value of 1.
void JIT::privateCompileCTIMachineTrampolines(RefPtr<ExecutablePool>*
executablePool, void** ctiArrayLengthTrampoline, void**
ctiStringLengthTrampoline, void** ctiVirtualCallPreLink, void**
ctiVirtualCallLink, void** ctiVirtualCall)
{
emitPutJITStubArg(regT3, 2);
...
Call callArityCheck2 = call();
move(regT1, callFrameRegister);
emitGetJITStubArg(1, regT2); (1)
...
compileOpCallInitializeCallFrame();
...
}
void JIT::compileOpCallInitializeCallFrame()
{
store32(regT1, Address(callFrameRegister, RegisterFile::ArgumentCount *
static_cast<int>(sizeof(Register))));
loadPtr(Address(regT2, FIELD_OFFSET(JSFunction, m_scopeChain) +
FIELD_OFFSET(ScopeChain, m_node)), regT1); // newScopeChain (2)
storePtr(ImmPtr(JSValuePtr::encode(noValue())), Address(callFrameRegister,
RegisterFile::OptionalCalleeArguments * static_cast<int>(sizeof(Register))));
storePtr(regT2, Address(callFrameRegister, RegisterFile::Callee *
static_cast<int>(sizeof(Register))));
storePtr(regT1, Address(callFrameRegister, RegisterFile::ScopeChain *
static_cast<int>(sizeof(Register)))); (3)
}
So basically, what happens is:
(1) The trampoline loads args[1] into regT2
(2) Loads *(regT2 + offset) into reg T1
(3) Stores regT1 at args[-6] and destroys the value (writes 1 to ScopeChain)
I don't understand what this code is trying to do.. Comments appreciated.
Toshi
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
