Closed
Bug 684563
Opened 13 years ago
Closed 13 years ago
IonMonkey: Broken return from exception on x64.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sstangl, Unassigned)
References
Details
Attachments
(2 files, 1 obsolete file)
127 bytes,
application/javascript
|
Details | |
1.09 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
HandleException (or some related functionality) appears to be incorrectly aligning %rsp on 64-bit systems, with an off-by-sizeof(Value) error with respect to the register array saved by generateEnterJIT(). This manifests as a return to the middle of nowhere, resulting in a segfault. A bunch of function tests trigger this bug, so it should probably be fixed before that lands. Investigating.
Reporter | ||
Comment 1•13 years ago
|
||
In generateEnterJIT() on x64, before %rsp is saved, the current registers are pushed along with |vp|. But generateReturnError() forgot to pop off |vp|.
Attachment #558124 -
Flags: review?(dvander)
Reporter | ||
Comment 2•13 years ago
|
||
Actual patch.
Attachment #558124 -
Attachment is obsolete: true
Attachment #558124 -
Flags: review?(dvander)
Attachment #558125 -
Flags: review?(dvander)
Updated•13 years ago
|
Attachment #558125 -
Flags: review?(dvander) → review+
Reporter | ||
Comment 3•13 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/8d78407cbf7e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•