<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - Shrinkwrapping crashes Chromium on Windows"

   href="https://llvm.org/bugs/show_bug.cgi?id=25723">25723</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Shrinkwrapping crashes Chromium on Windows

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Backend: X86

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>hans@chromium.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org, qcolombet@apple.com, rnk@google.com

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Using Clang r254480 with shrink-wrapping enabled causes Chromium to crash in

start-up, and lots of tests to fail.

Note to self for reproducing:

out\Release\webkit_unit_tests --single-process-tests

-gtest_filter=WebViewTest.BrokenImage

In WinDbg we can break on the function below with:

bm webkit_unit_tests!WTF::PartBoundFunctionImpl*3*BackgroundHTMLParser

I think what's happening is the shrink-wrapping doesn't account for the _chkstk

call below.

I'll try to come up with a reduction or other repro, but at least I know why

we're crashing now.

Without shrinkwrapping:

webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void</span >

__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator():</span >

029902c0 55              push    ebp

029902c1 89e5            mov     ebp,esp

029902c3 b80c000000      mov     eax,0Ch                                        

029902c8 e833f2ae00      call    webkit_unit_tests!_chkstk (0347f500)   

029902cd 8b4110          mov     eax,dword ptr [ecx+10h]                        

029902d0 c7411000000000  mov     dword ptr [ecx+10h],0

029902d7 89442408        mov     dword ptr [esp+8],eax                          

029902db 8b410c          mov     eax,dword ptr [ecx+0Ch]                        

029902de c7410c00000000  mov     dword ptr [ecx+0Ch],0

029902e5 89442404        mov     dword ptr [esp+4],eax                          

029902e9 8b4108          mov     eax,dword ptr [ecx+8]                          

029902ec 8d4904          lea     ecx,[ecx+4]

029902ef 890424          mov     dword ptr [esp],eax                            

029902f2 85c0            test    eax,eax

029902f4 7403            je     

webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void</span >

__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()+0x39</span >

(029902f9)             

029902f6 f0ff00          lock inc dword ptr [eax]

029902f9 e812000000      call    webkit_unit_tests!WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()</span >

(02990310)

029902fe 89ec            mov     esp,ebp

02990300 5d              pop     ebp                                            

02990301 c3              ret

With shrinkwrapping:

webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void</span >

__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator():</span >

0177fd80 b80c000000      mov     eax,0Ch

0177fd85 e876efae00      call    webkit_unit_tests!_chkstk (0226ed00)   <---

Allocates stack for the call below!

0177fd8a 8b4110          mov     eax,dword ptr [ecx+10h]

0177fd8d c7411000000000  mov     dword ptr [ecx+10h],0

0177fd94 89442408        mov     dword ptr [esp+8],eax

0177fd98 8b410c          mov     eax,dword ptr [ecx+0Ch]

0177fd9b c7410c00000000  mov     dword ptr [ecx+0Ch],0

0177fda2 89442404        mov     dword ptr [esp+4],eax

0177fda6 8b4108          mov     eax,dword ptr [ecx+8]

0177fda9 8d4904          lea     ecx,[ecx+4]

0177fdac 890424          mov     dword ptr [esp],eax

0177fdaf 85c0            test    eax,eax

0177fdb1 7403            je     

webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void</span >

__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()+0x36</span >

(0177fdb6)

0177fdb3 f0ff00          lock inc dword ptr [eax]

0177fdb6 55              push    ebp  <--- Messes with the argument of the call

below!

0177fdb7 89e5            mov     ebp,esp  <-- This is not the esp we want to

save!

0177fdb9 e812000000      call    webkit_unit_tests!WTF::FunctionWrapper<void

(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>

<span class="quote">>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()</span >

(0177fdd0)   

0177fdbe 89ec            mov     esp,ebp   <--- This is not the %esp we want

for returning.

0177fdc0 5d              pop     ebp

0177fdc1 c3              ret

I'm not sure it's possible to move the prologue past the _chkstk call (or, the

call should be moved too).

The function we call at 0177fdb9 takes 12 bytes of argument passed on the stack

(so the "push ebp" before is pushing into its arguments!), and the callee will

pop 12 bytes when returning! By doing "mov esp, ebp" later we undo the poping

of those 12 bytes, so our return address is not on top of the stack anymore and

we crash.

In other words, "mov esp, ebp" doesn't restore %esp to the value at entry, but

to the value after _chkstk.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>