Created attachment 524165 [details] Testcase -- $ ./js -a -n -m test.js test.js:6: TypeError: d.getTime is not a function -- If I change Date to Array and getTime to toString, it crashes in mjit generated code.
Both release and debug builds, revision 7928f2dc3d4d.
When inlining a call, we keep track of the unsynced entries in parent frames in order to remat them on expanding the frame, not on every stub/inline call the inlined frame makes. The problem is we weren't filtering which entries to remat based on the parent's stack pointer, so that some of the entries were pushed for previous calls and overlapped the (already intact) slots of the inlined frames. 'd' here was overwritten with 12, as pushed by the '12 == 12' test in the global's call to f. http://hg.mozilla.org/projects/jaegermonkey/rev/b8b674ac06e7
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.