+++ This bug was initially created as a clone of Bug #678939 +++
This is a WebGL demo translated from C++ to JS. With TI+JM, the FPS counter on the left is rendered incorrectly. It works after disabling either JM or TI.
OS X 10.7, revision 427522c34b31, 32-bit build. Not a regression from bug 678939, I can reproduce with an older build.
Created attachment 553733 [details]
Screenshot (TI disabled)
Created attachment 553734 [details]
Screenshot (TI enabled)
Huh, WFM on the OS X 8/16 nightly.
Can only reproduce on 32-bit (after enabling "open in 32-bit mode" on OS X). 64-bit is OK.
(In reply to Brian Hackett from comment #3)
> Huh, WFM on the OS X 8/16 nightly.
See comment 4 - mid-air collision :( I also see this with a nightly build from last month (7/17). I will try a clean profile to make sure it's not related to some pref or extension..
OK, I can see the glitch on 32-bit.
I'm trying to bisect this now, current regression window is 06/30 - 07/17.
Created attachment 554067 [details] [diff] [review]
Regression from my TI+JM typed array patches. The problem is that convertForTypedArray (used by setelem_typed) called tempRegForData(value) twice, the second one inside a branch. This is only okay if the testInt32 between them does not quietly allocate a type register..
This allocates the type and data registers up front. I'm not entirely sure this is needed for the type register but better safe than sorry. This fixes dlmalloc (bug 679878) and should also fix this bug.
*** Bug 679878 has been marked as a duplicate of this bug. ***
Downloaded a tinderbox build and this works fine now.