Comment 31 for bug 1066046

No problem. This is entirely different now.

> Nothing new until now. But lets look at that code with the right library in place:
>
> 0x41d5d15c <cti_op_get_by_id_proto_fail+8>:
> ldr lr, [sp, #3118288] ; 0x40
> 0x41d5d160 <cti_op_get_by_id_proto_fail+12>: mov pc, lr
> 0x41d5d164 <cti_op_get_by_id_array_fail>:
> str lr, [sp, #3118288] ; 0x40
> 0x41d5d168 <cti_op_get_by_id_array_fail+4>: bl 0x41cae2e8
>
> This looks suspicious. Does it tell you anything?

Yeah it is really suspicious. The sequence should look like this:

str lr, [sp, ...]
bl ...
ldr lr, [sp, ...]
mov pc, lr

Generated by:

#define DEFINE_STUB_FUNCTION(rtype, op) \
    extern "C" { \
        rtype JITStubThunked_##op(STUB_ARGS_DECLARATION); \
    }; \
    asm ( \
        ".globl " SYMBOL_STRING(cti_##op) "\n" \
        SYMBOL_STRING(cti_##op) ":" "\n" \
        "str lr, [sp, #" STRINGIZE_VALUE_OF(THUNK_RETURN_ADDRESS_OFFSET) "]" "\n" \
        "bl " SYMBOL_STRING(JITStubThunked_##op) "\n" \
        "ldr lr, [sp, #" STRINGIZE_VALUE_OF(THUNK_RETURN_ADDRESS_OFFSET) "]" "\n" \
        "mov pc, lr" "\n" \
        ); \
    rtype JITStubThunked_##op(STUB_ARGS_DECLARATION)

and

#define THUNK_RETURN_ADDRESS_OFFSET 0x38

(so #3118288 is somewhat way too big for me)

In other words, something added 8 to the offset of these so called "stubs". Same as the second function. Question is why... Perhaps a very simple web page with simple JS with calling fallbacks like could also reveal this error:

<script>
var a = {}; a["a"]=5;
</script>