Fixed argc < nargs miscount in js_SynthesizeFrame and adjusted a related assertion (bug 456667, r=danderson).
authorBrendan Eich <brendan@mozilla.org>
Thu, 25 Sep 2008 13:12:01 -0700
changeset 19981 437331f166fe9f8070fc5e54cd273933195083c6
parent 19980 3d304a99805eb25ee7e8a408f204b3f7e2e94f26
child 19982 da80ff92f1fad5f9186cf1269cf0edb6f5a5d640
push id2577
push userbrendan@mozilla.com
push dateWed, 01 Oct 2008 04:35:27 +0000
treeherdermozilla-central@a613924403d6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdanderson
bugs456667
milestone1.9.1b1pre
Fixed argc < nargs miscount in js_SynthesizeFrame and adjusted a related assertion (bug 456667, r=danderson).
js/src/jstracer.cpp
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -2130,24 +2130,24 @@ js_SynthesizeFrame(JSContext* cx, const 
     newifp->frame.callee = fi.callee;
     newifp->frame.fun = fun;
 
     bool constructing = fi.s.argc & 0x8000;
     
     newifp->frame.argc = argc;
     newifp->callerRegs.pc = fi.callpc;
     newifp->callerRegs.sp = cx->fp->slots + fi.s.spdist;
-    newifp->frame.argv = newifp->callerRegs.sp - JS_MAX(fun->nargs, argc);
+    newifp->frame.argv = newifp->callerRegs.sp - argc;
     JS_ASSERT(newifp->frame.argv);
 #ifdef DEBUG
     // Initialize argv[-1] to a known-bogus value so we'll catch it if
     // someone forgets to initialize it later.
     newifp->frame.argv[-1] = JSVAL_HOLE;
 #endif
-    JS_ASSERT(newifp->frame.argv >= StackBase(cx->fp));
+    JS_ASSERT(newifp->frame.argv >= StackBase(cx->fp) + 2);
 
     newifp->frame.rval = JSVAL_VOID;
     newifp->frame.down = cx->fp;
     newifp->frame.annotation = NULL;
     newifp->frame.scopeChain = OBJ_GET_PARENT(cx, fi.callee);
     newifp->frame.sharpDepth = 0;
     newifp->frame.sharpArray = NULL;
     newifp->frame.flags = constructing ? JSFRAME_CONSTRUCTING : 0;