Open Bug 1913864 Opened 11 months ago Updated 7 months ago

CacheIR doesnt take into account whether lexical environment's property is within dynamic slots or not

Tracking

()

Status:

NEW

People

(Reporter: debadree333, Unassigned)

References

(Blocks 1 open bug)

Details

Debadree Chatterjee

Reporter

Description

•

11 months ago

•

Edited

First example noted here: https://phabricator.services.mozilla.com/D219406, This can be reproduced as well by changing the number of reserved slots in LexicalEnvironmentObject here: https://searchfox.org/mozilla-central/source/js/src/vm/EnvironmentObject.h#765 and building the js shell with --enable-explicit-resource-management and then running ./mach jit-test, The problematic code site was found to be here: https://searchfox.org/mozilla-central/rev/53e68046298557fae0c922230b595bb6689bf587/js/src/jit/CacheIR.cpp#3477-3478

Tooru Fujisawa [:arai]

Updated

•

11 months ago

Severity: -- → S4

Type: enhancement → defect

Priority: -- → P3

Summary: CacheIR doesnt take into account whether dynamic slot is within fixed slots or not → CacheIR doesnt take into account whether lexical environment's property is within dynamic slots or not

Debadree Chatterjee

Reporter

Updated

•

11 months ago

Duplicate of this bug: 1913863

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

7 months ago

Blocks: CacheIR

You need to log in before you can comment on or make changes to this bug.

Bugzilla

CacheIR doesnt take into account whether lexical environment's property is within dynamic slots or not

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Tracking

()

People

(Reporter: debadree333, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated