[INFER] Only allow inlined frames to call other frames in the same VMFrame, bug 673763.

js/src/methodjit/InvokeHelpers.cpp

@@ -359,7 +359,18 @@ UncachedInlineCall(VMFrame &f, InitialFrameFlags initial,
         }
     }
 
-    /* Otherwise, run newscript in the interpreter. */
+    /*
+     * Otherwise, run newscript in the interpreter. Expand any inlined frame we
+     * are calling from, as the new frame is not associated with the VMFrame
+     * and will not have its prevpc info updated if frame expansion is
+     * triggered while interpreting.
+     */
+    if (f.regs.inlined()) {
+        ExpandInlineFrames(cx->compartment, false);
+        JS_ASSERT(!f.regs.inlined());
+        regs.fp()->resetInlinePrev(f.fp(), f.regs.pc);
+    }
+
     bool ok = !!Interpret(cx, cx->fp());
     f.cx->stack.popInlineFrame(regs);
 

js/src/vm/Stack.cpp

@@ -572,7 +572,16 @@ ContextStack::ensureOnTop(JSContext *cx, MaybeReportError report, uintN nvars,
 {
     Value *firstUnused = space().firstUnused();
 
-    if (onTop() && extend && (!cx->hasfp() || !cx->regs().inlined())) {
+#ifdef JS_METHODJIT
+    /*
+     * The only calls made by inlined methodjit frames can be to other JIT
+     * frames associated with the same VMFrame.
+     */
+    if (cx->hasfp() && cx->regs().inlined())
+        mjit::ExpandInlineFrames(cx->compartment, false);
+#endif
+
+    if (onTop() && extend) {
         if (!space().ensureSpace(cx, report, firstUnused, nvars))
             return NULL;
         return firstUnused;

js/src/vm/Stack.h

@@ -540,6 +540,8 @@ class StackFrame
      *
      * - Inlined frames have the same scope chain as the outer frame.
      * - Inlined frames have the same strictness as the outer frame.
+     * - Inlined frames can only make calls to other JIT frames associated with
+     *   the same VMFrame. Other calls force expansion of the inlined frames.
      */
 
     /*