Bug 469995 - js_DecompileValueGenerator uses cx->fp and should be made safe, r=crowder+jorendorff
--- a/js/src/jsopcode.cpp
+++ b/js/src/jsopcode.cpp
@@ -4940,18 +4940,17 @@ js_DecompileValueGenerator(JSContext *cx
intN pcdepth;
jsval *sp, *stackBase;
char *name;
JS_ASSERT(spindex < 0 ||
spindex == JSDVG_IGNORE_STACK ||
spindex == JSDVG_SEARCH_STACK);
- for (fp = cx->fp; fp && !fp->script; fp = fp->down)
- continue;
+ fp = js_GetScriptedCaller(cx, NULL);
if (!fp || !fp->regs || !fp->regs->sp)
goto do_fallback;
script = fp->script;
regs = fp->regs;
pc = fp->imacpc ? fp->imacpc : regs->pc;
if (pc < script->main || script->code + script->length <= pc) {
JS_NOT_REACHED("bug");