[llvm-bugs] [Bug 25723] New: Shrinkwrapping crashes Chromium on Windows
via llvm-bugs
llvm-bugs at lists.llvm.org
Wed Dec 2 13:47:59 PST 2015
https://llvm.org/bugs/show_bug.cgi?id=25723
Bug ID: 25723
Summary: Shrinkwrapping crashes Chromium on Windows
Product: libraries
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: Backend: X86
Assignee: unassignedbugs at nondot.org
Reporter: hans at chromium.org
CC: llvm-bugs at lists.llvm.org, qcolombet at apple.com,
rnk at google.com
Classification: Unclassified
Using Clang r254480 with shrink-wrapping enabled causes Chromium to crash in
start-up, and lots of tests to fail.
Note to self for reproducing:
out\Release\webkit_unit_tests --single-process-tests
-gtest_filter=WebViewTest.BrokenImage
In WinDbg we can break on the function below with:
bm webkit_unit_tests!WTF::PartBoundFunctionImpl*3*BackgroundHTMLParser
I think what's happening is the shrink-wrapping doesn't account for the _chkstk
call below.
I'll try to come up with a reduction or other repro, but at least I know why
we're crashing now.
Without shrinkwrapping:
webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void
__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator():
029902c0 55 push ebp
029902c1 89e5 mov ebp,esp
029902c3 b80c000000 mov eax,0Ch
029902c8 e833f2ae00 call webkit_unit_tests!_chkstk (0347f500)
029902cd 8b4110 mov eax,dword ptr [ecx+10h]
029902d0 c7411000000000 mov dword ptr [ecx+10h],0
029902d7 89442408 mov dword ptr [esp+8],eax
029902db 8b410c mov eax,dword ptr [ecx+0Ch]
029902de c7410c00000000 mov dword ptr [ecx+0Ch],0
029902e5 89442404 mov dword ptr [esp+4],eax
029902e9 8b4108 mov eax,dword ptr [ecx+8]
029902ec 8d4904 lea ecx,[ecx+4]
029902ef 890424 mov dword ptr [esp],eax
029902f2 85c0 test eax,eax
029902f4 7403 je
webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void
__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()+0x39
(029902f9)
029902f6 f0ff00 lock inc dword ptr [eax]
029902f9 e812000000 call webkit_unit_tests!WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()
(02990310)
029902fe 89ec mov esp,ebp
02990300 5d pop ebp
02990301 c3 ret
With shrinkwrapping:
webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void
__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator():
0177fd80 b80c000000 mov eax,0Ch
0177fd85 e876efae00 call webkit_unit_tests!_chkstk (0226ed00) <---
Allocates stack for the call below!
0177fd8a 8b4110 mov eax,dword ptr [ecx+10h]
0177fd8d c7411000000000 mov dword ptr [ecx+10h],0
0177fd94 89442408 mov dword ptr [esp+8],eax
0177fd98 8b410c mov eax,dword ptr [ecx+0Ch]
0177fd9b c7410c00000000 mov dword ptr [ecx+0Ch],0
0177fda2 89442404 mov dword ptr [esp+4],eax
0177fda6 8b4108 mov eax,dword ptr [ecx+8]
0177fda9 8d4904 lea ecx,[ecx+4]
0177fdac 890424 mov dword ptr [esp],eax
0177fdaf 85c0 test eax,eax
0177fdb1 7403 je
webkit_unit_tests!WTF::PartBoundFunctionImpl<3,WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>,void
__cdecl(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()+0x36
(0177fdb6)
0177fdb3 f0ff00 lock inc dword ptr [eax]
0177fdb6 55 push ebp <--- Messes with the argument of the call
below!
0177fdb7 89e5 mov ebp,esp <-- This is not the esp we want to
save!
0177fdb9 e812000000 call webkit_unit_tests!WTF::FunctionWrapper<void
(__cdecl*)(WTF::PassRefPtr<WTF::WeakReference<blink::BackgroundHTMLParser>
>,WTF::PassOwnPtr<blink::BackgroundHTMLParser::Configuration>,WTF::PassOwnPtr<blink::WebTaskRunner>)>::operator()
(0177fdd0)
0177fdbe 89ec mov esp,ebp <--- This is not the %esp we want
for returning.
0177fdc0 5d pop ebp
0177fdc1 c3 ret
I'm not sure it's possible to move the prologue past the _chkstk call (or, the
call should be moved too).
The function we call at 0177fdb9 takes 12 bytes of argument passed on the stack
(so the "push ebp" before is pushing into its arguments!), and the callee will
pop 12 bytes when returning! By doing "mov esp, ebp" later we undo the poping
of those 12 bytes, so our return address is not on top of the stack anymore and
we crash.
In other words, "mov esp, ebp" doesn't restore %esp to the value at entry, but
to the value after _chkstk.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20151202/f37adc85/attachment.html>
More information about the llvm-bugs
mailing list