Fixed unsafe coercion of JSVAL_VOID to string on trace entry (bug 465483, r=brendan).

js/src/jstracer.cpp

@@ -1228,10 +1228,6 @@ ValueToNative(JSContext* cx, jsval v, uint8 type, double* slot)
         debug_only_v(printf("boolean<%d> ", *(JSBool*)slot);)
         return;
       case JSVAL_STRING:
-        if (v == JSVAL_VOID) {
-            *(JSString**)slot = ATOM_TO_STRING(cx->runtime->atomState.typeAtoms[JSTYPE_VOID]); 
-            return;
-        } 
         JS_ASSERT(tag == JSVAL_STRING);
         *(JSString**)slot = JSVAL_TO_STRING(v);
         debug_only_v(printf("string<%p> ", *(JSString**)slot);)
@@ -3261,7 +3257,7 @@ js_IsEntryTypeCompatible(jsval* vp, uint8* m)
         debug_only_v(printf("bool != tag%u", tag);)
         return false;
       case JSVAL_STRING:
-        if (*vp == JSVAL_VOID || tag == JSVAL_STRING)
+        if (tag == JSVAL_STRING)
             return true;
         debug_only_v(printf("string != tag%u", tag);)
         return false;

js/src/trace-test.js

@@ -1902,6 +1902,15 @@ function testBug465272() {
 testBug465272.expected = "3,3,3,3,3"
 test(testBug465272);
 
+function testBug465483() {
+	var a = new Array(4);
+	var c = 0;
+	for each (i in [4, 'a', 'b', (void 0)]) a[c++] = '' + (i + i);
+	return a.join(',');
+}
+testBug465483.expected = '8,aa,bb,NaN';
+test(testBug465483);
+
 // BEGIN MANDELBROT STUFF
 // XXXbz I would dearly like to wrap it up into a function to avoid polluting
 // the global scope, but the function ends up heavyweight, and then we lose on