TI+JM: crash or error "d.getTime is not a function"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jandem, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

169 bytes, application/x-javascript
Details
(Reporter)

Description

7 years ago
Created attachment 524165 [details]
Testcase

--
$ ./js -a -n -m test.js
test.js:6: TypeError: d.getTime is not a function
--
If I change Date to Array and getTime to toString, it crashes in mjit generated code.
(Reporter)

Comment 1

7 years ago
Both release and debug builds, revision 7928f2dc3d4d.
When inlining a call, we keep track of the unsynced entries in parent frames in order to remat them on expanding the frame, not on every stub/inline call the inlined frame makes.  The problem is we weren't filtering which entries to remat based on the parent's stack pointer, so that some of the entries were pushed for previous calls and overlapped the (already intact) slots of the inlined frames.  'd' here was overwritten with 12, as pushed by the '12 == 12' test in the global's call to f.

http://hg.mozilla.org/projects/jaegermonkey/rev/b8b674ac06e7
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.