Fix register allocation around inline returns,
bug 713209.
--- a/js/src/methodjit/FrameState-inl.h
+++ b/js/src/methodjit/FrameState-inl.h
@@ -1120,18 +1120,19 @@ FrameState::frameSlot(ActiveFrame *a, co
return analyze::ThisSlot();
if (fe == a->callee_)
return analyze::CalleeSlot();
JS_NOT_REACHED("Bad fe");
return 0;
}
inline JSC::MacroAssembler::Address
-FrameState::addressForInlineReturn() const
+FrameState::addressForInlineReturn()
{
+ discardFe(a->callee_);
return addressOf(a->callee_);
}
inline JSC::MacroAssembler::Address
FrameState::addressForDataRemat(const FrameEntry *fe) const
{
if (fe->isCopy() && !fe->data.synced())
fe = fe->copyOf();
--- a/js/src/methodjit/FrameState.h
+++ b/js/src/methodjit/FrameState.h
@@ -872,17 +872,17 @@ class FrameState
// Returns an address, relative to the StackFrame, that represents where
// this FrameEntry is backed in memory. This is not necessarily its
// canonical address, but the address for which the payload has been synced
// to memory. The caller guarantees that the payload has been synced.
Address addressForDataRemat(const FrameEntry *fe) const;
// Inside an inline frame, the address for the return value in the caller.
- Address addressForInlineReturn() const;
+ Address addressForInlineReturn();
inline StateRemat dataRematInfo(const FrameEntry *fe) const;
/*
* This is similar to freeReg(ownRegForData(fe)) - except no movement takes place.
* The fe is simply invalidated as if it were popped. This can be used to free
* registers in the working area of the stack. Obviously, this can only be called
* in infallible code that will pop these entries soon after.