IonMonkey: Broken return from exception on x64.

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: sstangl, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
Created attachment 558122 [details]
Trigger a HandleException by calling a non-function object.

HandleException (or some related functionality) appears to be incorrectly aligning %rsp on 64-bit systems, with an off-by-sizeof(Value) error with respect to the register array saved by generateEnterJIT(). This manifests as a return to the middle of nowhere, resulting in a segfault.

A bunch of function tests trigger this bug, so it should probably be fixed before that lands. Investigating.
(Reporter)

Comment 1

7 years ago
Created attachment 558124 [details] [diff] [review]
Fix off-by-Value error in generateReturnError on x64.

In generateEnterJIT() on x64, before %rsp is saved, the current registers are pushed along with |vp|. But generateReturnError() forgot to pop off |vp|.
Attachment #558124 - Flags: review?(dvander)
(Reporter)

Comment 2

7 years ago
Created attachment 558125 [details] [diff] [review]
Fix off-by-Value error in generateReturnError() on x64.

Actual patch.
Attachment #558124 - Attachment is obsolete: true
Attachment #558124 - Flags: review?(dvander)
Attachment #558125 - Flags: review?(dvander)
Attachment #558125 - Flags: review?(dvander) → review+
(Reporter)

Comment 3

7 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/8d78407cbf7e
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.