http://bugs.winehq.org/show_bug.cgi?id=30465
--- Comment #1 from Ulrik Dickow u.dickow@gmail.com 2012-04-17 05:35:01 CDT --- Created attachment 39832 --> http://bugs.winehq.org/attachment.cgi?id=39832 Wine 1.4 backtrace, floating point regs and disassembly (short)
To begin with my simplest debug session, this first attachment is a rather short one made with wine 1.4, i.e. the latest STABLE version. It shows that an invalid floating point operation exception was triggered by the latter of the two fldcw instructions in this sequence (AT&T syntax):
fldcw 0xfffffff4(%ebp) # Load FP Control Word 0x0c72 (c = truncate) fistps 0xfffffff0(%ebp) # Convert ST0 to 32 bit int => pending exception fldcw 0xfffffff6(%ebp) # Load old CW (0x1372) => triggers the exception
The floating point number to be converted is ST0 = d = 1332603567267000.0 = the number of microseconds from Jan 1 1970 (00:00) to the time of the crash, Mar 24 16:39:27 2012. You will see in a later attachment that this number comes from the Gecko history expiration timer event in nsPlacesExpiration.js.
The number is of course too large for an int32. That should'nt be a problem, since the whole point of JSDOUBLE_IS_INT32 is to see whether or not the double fits into an int32. Indeed normally and by default the "Invalid operation" exception is masked out by bit 0 being set in the Floating point Control Word (FLCW), i.e. uneven CW. But for some unknown reason, here we have entered JSDOUBLE_IS_INT32 with an even CW (0x1372), so that the exception generated by the invalid conversion to int32 is triggered immediately at the next floating point instruction (second fldcw).
More comments follow on the next attachments.