diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp index 56968cdcca88..5011d94cc8fd 100644 --- a/js/src/methodjit/Compiler.cpp +++ b/js/src/methodjit/Compiler.cpp @@ -6918,6 +6918,7 @@ mjit::Compiler::fixDoubleTypes(jsbytecode *target) if (vt.type == JSVAL_TYPE_INT32) { fixedIntToDoubleEntries.append(newv->slot); frame.ensureDouble(fe); + frame.forgetLoopReg(fe); } else if (vt.type == JSVAL_TYPE_UNKNOWN) { /* * Unknown here but a double at the target. The type @@ -6932,6 +6933,7 @@ mjit::Compiler::fixDoubleTypes(jsbytecode *target) } else if (fe->isType(JSVAL_TYPE_DOUBLE)) { fixedDoubleToAnyEntries.append(newv->slot); frame.syncAndForgetFe(fe); + frame.forgetLoopReg(fe); } newv++; } diff --git a/js/src/methodjit/FrameState-inl.h b/js/src/methodjit/FrameState-inl.h index 09769ba04758..2ecd238bb14b 100644 --- a/js/src/methodjit/FrameState-inl.h +++ b/js/src/methodjit/FrameState-inl.h @@ -878,6 +878,17 @@ FrameState::syncAndForgetFe(FrameEntry *fe, bool markSynced) fe->data.setMemory(); } +inline void +FrameState::forgetLoopReg(FrameEntry *fe) +{ + /* + * Don't use a loop register for fe in the active loop, as its underlying + * representation may have changed since the start of the loop. + */ + if (loop) + fe->lastLoop = loop->headOffset(); +} + inline void FrameState::syncType(FrameEntry *fe) { diff --git a/js/src/methodjit/FrameState.h b/js/src/methodjit/FrameState.h index 4e4427511fa5..2971903db29d 100644 --- a/js/src/methodjit/FrameState.h +++ b/js/src/methodjit/FrameState.h @@ -951,6 +951,7 @@ class FrameState Vector *getTemporaryCopies(); inline void syncAndForgetFe(FrameEntry *fe, bool markSynced = false); + inline void forgetLoopReg(FrameEntry *fe); private: inline AnyRegisterID allocAndLoadReg(FrameEntry *fe, bool fp, RematInfo::RematType type);