Closed Bug 647973 Opened 14 years ago Closed 14 years ago

TI+JM: crash or error "d.getTime is not a function"

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

Attachments

(1 file)

169 bytes, application/x-javascript
Details
Attached file Testcase
--
$ ./js -a -n -m test.js
test.js:6: TypeError: d.getTime is not a function
--
If I change Date to Array and getTime to toString, it crashes in mjit generated code.
Both release and debug builds, revision 7928f2dc3d4d.
When inlining a call, we keep track of the unsynced entries in parent frames in order to remat them on expanding the frame, not on every stub/inline call the inlined frame makes.  The problem is we weren't filtering which entries to remat based on the parent's stack pointer, so that some of the entries were pushed for previous calls and overlapped the (already intact) slots of the inlined frames.  'd' here was overwritten with 12, as pushed by the '12 == 12' test in the global's call to f.

http://hg.mozilla.org/projects/jaegermonkey/rev/b8b674ac06e7
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: