On Jun 11, 2009, at 10:20 AM, Toshiyasu Morita wrote:
I've tracked down a crash in our JIT port to a problem with the
trampoline generation.
The symptom of the crash is: the ScopeChain becomes corrupted and
acquires the value of 1.
void
JIT::privateCompileCTIMachineTrampolines(RefPtr<ExecutablePool>*
executablePool, void** ctiArrayLengthTrampoline, void**
ctiStringLengthTrampoline, void** ctiVirtualCallPreLink, void**
ctiVirtualCallLink, void** ctiVirtualCall)
{
emitPutJITStubArg(regT3, 2);
...
Call callArityCheck2 = call();
move(regT1, callFrameRegister);
emitGetJITStubArg(1, regT2); (1)
...
compileOpCallInitializeCallFrame();
...
}
void JIT::compileOpCallInitializeCallFrame()
{
store32(regT1, Address(callFrameRegister,
RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));
loadPtr(Address(regT2, FIELD_OFFSET(JSFunction, m_scopeChain) +
FIELD_OFFSET(ScopeChain, m_node)), regT1); // newScopeChain (2)
storePtr(ImmPtr(JSValuePtr::encode(noValue())),
Address(callFrameRegister, RegisterFile::OptionalCalleeArguments *
static_cast<int>(sizeof(Register))));
storePtr(regT2, Address(callFrameRegister, RegisterFile::Callee
* static_cast<int>(sizeof(Register))));
storePtr(regT1, Address(callFrameRegister,
RegisterFile::ScopeChain * static_cast<int>(sizeof(Register)))); (3)
}
So basically, what happens is:
(1) The trampoline loads args[1] into regT2
This is restoring the pointer to callee JSFunction*.
(2) Loads *(regT2 + offset) into reg T1
This is loading the ScopeChain from the callee function.
(3) Stores regT1 at args[-6] and destroys the value (writes 1 to
ScopeChain)
This is setting the ScopeChain in the callframe header so it is passed
to the callee.
I don't understand what this code is trying to do.. Comments
appreciated.
Toshi
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
