From bba6cefda7de5ed483f0a225d0b6aa6877e9e54f Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@mozilla.com>
Date: Thu, 29 Jul 2010 17:25:13 -0700
Subject: [PATCH] [JAEGER] Fixed tracer integration illegally re-pushing
 fp->rval (bug 583124).

---
 js/src/jsinterp.cpp                | 2 +-
 js/src/jsinterp.h                  | 1 +
 js/src/methodjit/InvokeHelpers.cpp | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/js/src/jsinterp.cpp b/js/src/jsinterp.cpp
index 90d04a8616..3211b91f3c 100644
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -2812,7 +2812,7 @@ BEGIN_CASE(JSOP_STOP)
     } else {
 #ifdef JS_TRACER
         /* Hack: re-push rval so either JIT will read it properly. */
-        PUSH_COPY(fp->rval);
+        fp->flags |= JSFRAME_BAILED_AT_RETURN;
         if (TRACE_RECORDER(cx)) {
             AbortRecording(cx, "recording out of Interpret");
             interpReturnOK = true;
diff --git a/js/src/jsinterp.h b/js/src/jsinterp.h
index ab2bacf552..deab962775 100644
--- a/js/src/jsinterp.h
+++ b/js/src/jsinterp.h
@@ -68,6 +68,7 @@ enum JSFrameFlags {
     JSFRAME_GENERATOR          =  0x80, /* frame belongs to generator-iterator */
     JSFRAME_BAILING            = 0x100, /* walking out of a method JIT'd frame */
     JSFRAME_RECORDING          = 0x200, /* recording a trace */
+    JSFRAME_BAILED_AT_RETURN   = 0x400, /* bailed at JSOP_RETURN */
 
     JSFRAME_SPECIAL            = JSFRAME_DEBUGGER | JSFRAME_EVAL
 };
diff --git a/js/src/methodjit/InvokeHelpers.cpp b/js/src/methodjit/InvokeHelpers.cpp
index 75e507e2f8..5607146c0e 100644
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -855,7 +855,7 @@ RunTracer(VMFrame &f)
     /* Step 3.2. If entryFrame is at a RETURN, then leave slightly differently. */
     if (JSOp op = FrameIsFinished(cx)) {
         /* We're not guaranteed that the RETURN was run. */
-        if (op == JSOP_RETURN)
+        if (op == JSOP_RETURN && !(entryFrame->flags & JSFRAME_BAILED_AT_RETURN))
             entryFrame->rval = f.regs.sp[-1];
 
         /* Don't pop the frame if it's maybe owned by an Invoke. */
-- 
2.11.4.GIT