Google Git
Sign in
chromium/external/github.com/Microsoft/ChakraCore/2b36a31813d7d29817b049d3197f2343c2e88b9e^!/.
commit
2b36a31813d7d29817b049d3197f2343c2e88b9e
[log]
author
Petr Penzin <[email protected]>
Wed Sep 08 21:47:04 2021
committer
GitHub <[email protected]>
Wed Sep 08 21:47:04 2021
tree
1059824566d1eedc5e1d226a6bd9a3b52fb46236
parent
4841a76a6a0c7c9c212846e8c96c8675ce7653da [diff]
Check for ByteCodeRegSlot before using in Inline (#6741)


diff --git a/lib/Backend/Inline.cpp b/lib/Backend/Inline.cpp
index db76ed7..7b091bb 100644
--- a/lib/Backend/Inline.cpp
+++ b/lib/Backend/Inline.cpp

@@ -2203,7 +2203,7 @@ Inline::InlineBuiltInFunction(
             if (OpCodeAttr::BailOutRec(inlineCallOpCode))
             {
                 StackSym * sym = argInstr->GetSrc1()->GetStackSym();
-                if (!sym->m_isSingleDef || !sym->m_instrDef->GetSrc1() || !sym->m_instrDef->GetSrc1()->IsConstOpnd())
+                if (sym->HasByteCodeRegSlot() && (!sym->m_isSingleDef || !sym->m_instrDef->GetSrc1() || !sym->m_instrDef->GetSrc1()->IsConstOpnd()))
                 {
                     if (!sym->IsFromByteCodeConstantTable() && sym->GetByteCodeRegSlot() != callInstrDst->GetStackSym()->GetByteCodeRegSlot())
                     {

diff --git a/test/Function/bug6738.js b/test/Function/bug6738.js
new file mode 100644
index 0000000..26908b1
--- /dev/null
+++ b/test/Function/bug6738.js

@@ -0,0 +1,15 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft Corporation and contributors. All rights reserved.
+// Copyright (c) 2021 ChakraCore Project Contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function jit() {
+    let x = Math.round.call({}, 3133.7);
+}
+
+for (var i = 0; i < 0x1000; i++) {
+    jit();
+}
+
+print("pass");

diff --git a/test/Function/rlexe.xml b/test/Function/rlexe.xml
index d406fb0..bf9ecca 100644
--- a/test/Function/rlexe.xml
+++ b/test/Function/rlexe.xml

@@ -485,6 +485,11 @@
   </test>
   <test>
     <default>
+      <files>bug6738.js</files>
+    </default>
+  </test>
+  <test>
+    <default>
       <files>crosssite_bind_main.js</files>
     </default>
   </test>