From 723d6c73f71c49b71f54a26a84126f4e949bf366 Mon Sep 17 00:00:00 2001
From: Sean Stangl <sstangl@mozilla.com>
Date: Thu, 6 Sep 2012 16:34:48 -0700
Subject: [PATCH] Bug 787921 - Fix IonMonkey interrupt detection. r=dvander

---
 js/src/ion/VMFunctions.cpp             |  4 ++--
 js/src/jit-test/tests/ion/bug787921.js | 13 +++++++++++++
 js/src/jscntxt.cpp                     |  4 ++--
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 js/src/jit-test/tests/ion/bug787921.js

diff --git a/js/src/ion/VMFunctions.cpp b/js/src/ion/VMFunctions.cpp
index 5751d484a37..7eea30c38e8 100644
--- a/js/src/ion/VMFunctions.cpp
+++ b/js/src/ion/VMFunctions.cpp
@@ -101,8 +101,8 @@ CheckOverRecursed(JSContext *cx)
     //   (1) The interrupt bit is set, and we need to fire the interrupt callback.
     //   (2) The stack limit has been exceeded, and we need to throw an error.
     //
-    // Note that we can reach here if ionStackLimit is NULL, but interrupt has
-    // not yet been set to 1. That's okay; it will be set to 1 very shortly,
+    // Note that we can reach here if ionStackLimit is MAXADDR, but interrupt
+    // has not yet been set to 1. That's okay; it will be set to 1 very shortly,
     // and in the interim we might just fire a few useless calls to
     // CheckOverRecursed.
     JS_CHECK_RECURSION(cx, return false);
diff --git a/js/src/jit-test/tests/ion/bug787921.js b/js/src/jit-test/tests/ion/bug787921.js
new file mode 100644
index 00000000000..bcb5482e13d
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug787921.js
@@ -0,0 +1,13 @@
+// |jit-test| error: InternalError: too much recursion
+function TestCase(n, d, e, a) {
+  this.bugnumber = typeof(BUGNUMER) != 'undefined' ? BUGNUMBER : '';
+  this.type = (typeof window == 'undefined' ? 'shell' : 'browser');
+  gTestcases[gTc++] = this;
+  if (optionName && optionName != "allow_xml") {}
+  {} {} {} // Seems to be required to crash
+}
+function f() {}
+function g(n, h) {
+    var t = g(TestCase.toSource());
+}
+g(80, f);
diff --git a/js/src/jscntxt.cpp b/js/src/jscntxt.cpp
index 3673c4cd3cf..2df818edce0 100644
--- a/js/src/jscntxt.cpp
+++ b/js/src/jscntxt.cpp
@@ -169,9 +169,9 @@ JSRuntime::triggerOperationCallback()
      * Invalidate ionTop to trigger its over-recursion check. Note this must be
      * set before interrupt, to avoid racing with js_InvokeOperationCallback,
      * into a weird state where interrupt is stuck at 0 but ionStackLimit is
-     * NULL.
+     * MAXADDR.
      */
-    ionStackLimit = 0;
+    ionStackLimit = -1;
 
     /*
      * Use JS_ATOMIC_SET in the hope that it ensures the write will become