Closed
Bug 647973
Opened 14 years ago
Closed 14 years ago
TI+JM: crash or error "d.getTime is not a function"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Unassigned)
References
Details
Attachments
(1 file)
169 bytes,
application/x-javascript
|
Details |
-- $ ./js -a -n -m test.js test.js:6: TypeError: d.getTime is not a function -- If I change Date to Array and getTime to toString, it crashes in mjit generated code.
Comment 2•14 years ago
|
||
When inlining a call, we keep track of the unsynced entries in parent frames in order to remat them on expanding the frame, not on every stub/inline call the inlined frame makes. The problem is we weren't filtering which entries to remat based on the parent's stack pointer, so that some of the entries were pushed for previous calls and overlapped the (already intact) slots of the inlined frames. 'd' here was overwritten with 12, as pushed by the '12 == 12' test in the global's call to f. http://hg.mozilla.org/projects/jaegermonkey/rev/b8b674ac06e7
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•