Re: [JS-internals] JS engine crashes on solaris/amd64

Wed, 30 Oct 2013 01:21:34 -0700 

I ran into the same problem with QtScript (a part of Qt4 which is
based on Webkit).
And I believe I've solved it :-)

Synopsis.

source code:
#include <QtCore/QtCore>
#include <QtScript/QtScript>

int main(int argc, char *argv[])
{
  QCoreApplication a(argc, argv);
  QScriptEngine engine;

  QScriptValue aValue = engine.evaluate("2+3");
  qDebug() << "aValue:" << aValue.toString();

  QScriptValue aFunction = engine.evaluate("(function(a,b) {return a+b;})");
  qDebug() << "aFunction:" << aFunction.toString();

  QScriptValue jsonParser = engine.evaluate(QLatin1String("JSON.parse"));
  qDebug() << "jsonParser:" << jsonParser.toString();

  return 0;
}

Output:
# ./qscript
aValue: "5"
aFunction: "-12571136"
jsonParser: "undefined"

Expected output:
# ./qscript
aValue: "5"
aFunction: "function (a, b) {return a+b;}"
jsonParser: "function parse() {
    [native code]
}"


Webkit uses this scheme for amd64:
Pointer  0000:PPPP:PPPP:PPPP
              0001:****:****:****
Double   FFFE:****:****:****
Integer  FFFF:0000:IIII:IIII

Pointers on the stack on Solaris/amd64 are > 0xFFFF8000.00000000
and thus a pointer on the stack cannot be a double (because of 0xFFFE)
or a integer (because of 0xFFFF0).

So here is the idea:
+#if OS(SOLARIS64)
+// https://bugzilla.mozilla.org/show_bug.cgi?id=577056
+// Memory layout for 64-bit Solaris is different than other 64-bit systems.
+// http://developers.sun.com/solaris/articles/solaris_memory.html
+// User space memory may locate on PART-A (0xFFFFFD80.00000000 -
0xFFFF8000.00000000)
+// and PART-B (0x00008000.00000000 - 0x00000000.04000000).
+        static ALWAYS_INLINE bool isSolaris64StackPointer(JSValue v)
+        {
+            return ((rawValue(v) & 0xFFFF800000000000LL) ==
0xFFFF800000000000LL);
+        }
+#endif
+
         static ALWAYS_INLINE bool isImmediate(JSValue v)
         {
+#if OS(SOLARIS64)
+            if (isSolaris64StackPointer(v))
+                return false;
+#endif
             return rawValue(v) & TagMask;
         }

Pointers to PART-B do not require any special treatment.

Full patch for Qt4:
http://cgit.osdyson.org/qt4-x11.git/tree/debian/patches/dyson-js-solaris-memory-layout.patch

I'm going to check this idea for Firefox.
_______________________________________________
dev-tech-js-engine-internals mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals

Reply via email to