Created attachment 524165 [details] Testcase -- $ ./js -a -n -m test.js test.js:6: TypeError: d.getTime is not a function -- If I change Date to Array and getTime to toString, it crashes in mjit generated code.
Both release and debug builds, revision 7928f2dc3d4d.
When inlining a call, we keep track of the unsynced entries in parent frames in order to remat them on expanding the frame, not on every stub/inline call the inlined frame makes. The problem is we weren't filtering which entries to remat based on the parent's stack pointer, so that some of the entries were pushed for previous calls and overlapped the (already intact) slots of the inlined frames. 'd' here was overwritten with 12, as pushed by the '12 == 12' test in the global's call to f. http://hg.mozilla.org/projects/jaegermonkey/rev/b8b674ac06e7