From 2122a154f93589e5e740e3b25d3de27c8d55f343 Mon Sep 17 00:00:00 2001
From: Luke Wagner <luke@mozilla.com>
Date: Thu, 7 Jun 2012 15:05:40 -0700
Subject: [PATCH] Bug 762450 - Access the canonical formal argument location on
 jit rejoin path (r=bhackett)

--HG--
extra : rebase_source : 520885f21382f0ca2fc9aeff34f248cba1af7b39
---
 js/src/jit-test/tests/basic/testBug762450.js |  7 +++++++
 js/src/jsinterp.cpp                          |  2 +-
 js/src/methodjit/InvokeHelpers.cpp           | 14 ++++++++------
 3 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/testBug762450.js

diff --git a/js/src/jit-test/tests/basic/testBug762450.js b/js/src/jit-test/tests/basic/testBug762450.js
new file mode 100644
index 00000000000..2813015a60c
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug762450.js
@@ -0,0 +1,7 @@
+function f(a, b, c) {
+    arguments[0] = 3;
+    return (c--) + 1;
+}
+var r = f();
+print(r);
+assertEq(r !== r, true);
diff --git a/js/src/jsinterp.cpp b/js/src/jsinterp.cpp
index d3136a80b63..128d804a094 100644
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -821,7 +821,7 @@ DoIncDec(JSContext *cx, JSScript *script, jsbytecode *pc, const Value &v, Value
     }
 
     double d;
-    if (!ToNumber(cx, *slot, &d))
+    if (!ToNumber(cx, v, &d))
         return false;
 
     double sum = d + (cs.format & JOF_INC ? 1 : -1);
diff --git a/js/src/methodjit/InvokeHelpers.cpp b/js/src/methodjit/InvokeHelpers.cpp
index fcc3e5b2c18..901380e49d0 100644
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -691,11 +691,6 @@ FinishVarIncOp(VMFrame &f, RejoinState rejoin, Value ov, Value nv, Value *vp)
               op == JSOP_ARGDEC || op == JSOP_DECARG);
     const JSCodeSpec *cs = &js_CodeSpec[op];
 
-    unsigned i = GET_SLOTNO(f.pc());
-    Value *var = (JOF_TYPE(cs->format) == JOF_LOCAL)
-                 ? &f.fp()->unaliasedLocal(i)
-                 : &f.fp()->unaliasedFormal(i);
-
     if (rejoin == REJOIN_POS) {
         double d = ov.toNumber();
         double N = (cs->format & JOF_INC) ? 1 : -1;
@@ -703,7 +698,14 @@ FinishVarIncOp(VMFrame &f, RejoinState rejoin, Value ov, Value nv, Value *vp)
             types::TypeScript::MonitorOverflow(cx, f.script(), f.pc());
     }
 
-    *var = nv;
+    unsigned i = GET_SLOTNO(f.pc());
+    if (JOF_TYPE(cs->format) == JOF_LOCAL)
+        f.fp()->unaliasedLocal(i) = nv;
+    else if (f.fp()->script()->argsObjAliasesFormals())
+        f.fp()->argsObj().setArg(i, nv);
+    else
+        f.fp()->unaliasedFormal(i) = nv;
+
     *vp = (cs->format & JOF_POST) ? ov : nv;
 }