From 1ed19456f65821427ff4b6deb9750c16d55a4196 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Sun, 3 Apr 2011 11:16:44 -0700
Subject: [PATCH] [INFER] Always emit jsop_getprop stub calls for rejoining in
 JSOP_INSTANCEOF, bug 647532.

---
 js/src/jit-test/tests/jaeger/recompile/bug647532.js | 4 ++++
 js/src/methodjit/Compiler.cpp                       | 9 +++------
 2 files changed, 7 insertions(+), 6 deletions(-)
 create mode 100644 js/src/jit-test/tests/jaeger/recompile/bug647532.js

diff --git a/js/src/jit-test/tests/jaeger/recompile/bug647532.js b/js/src/jit-test/tests/jaeger/recompile/bug647532.js
new file mode 100644
index 00000000000..3c8bc3f404f
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/recompile/bug647532.js
@@ -0,0 +1,4 @@
+try { Function("\
+    __defineSetter__(\"x\",Object.keys)\
+    (z=x instanceof[].some)\
+")() } catch (e) { }
diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index a1e8281804a..f67776f19eb 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -6020,12 +6020,9 @@ mjit::Compiler::jsop_instanceof()
 
     // The fast path applies only when both operands are objects.
     if (rhs->isNotType(JSVAL_TYPE_OBJECT) || lhs->isNotType(JSVAL_TYPE_OBJECT)) {
-        prepareStubCall(Uses(2));
-        INLINE_STUBCALL(stubs::InstanceOf);
-        frame.popn(2);
-        frame.takeReg(Registers::ReturnReg);
-        frame.pushTypedPayload(JSVAL_TYPE_BOOLEAN, Registers::ReturnReg);
-        return true;
+        stubcc.linkExit(masm.jump(), Uses(2));
+        frame.discardFe(lhs);
+        frame.discardFe(rhs);
     }
 
     MaybeJump firstSlow;