Bug 500580 - JS_CallFunction path isn't ~JIT guarded against non-global scope chains, r=brendan.

js/src/jsinterp.cpp

@@ -1448,6 +1448,17 @@ js_InternalInvoke(JSContext *cx, JSObject *obj, jsval fval, uintN flags,
     JSBool ok;
 
     js_LeaveTrace(cx);
+
+#ifdef JS_TRACER
+    /*
+     * The JIT requires that the scope chain here is equal to its global
+     * object. Disable the JIT for this call if this condition is not true.
+     */
+    uint32 oldOptions = cx->options;
+    if ((oldOptions & JSOPTION_JIT) && obj != JS_GetGlobalForObject(cx, obj))
+        cx->options &= ~JSOPTION_JIT;
+#endif
+
     invokevp = js_AllocStack(cx, 2 + argc, &mark);
     if (!invokevp)
         return JS_FALSE;
@@ -1477,6 +1488,13 @@ js_InternalInvoke(JSContext *cx, JSObject *obj, jsval fval, uintN flags,
     }
 
     js_FreeStack(cx, mark);
+
+#ifdef JS_TRACER
+    /* Possibly re-enable JIT, if disabled above. */
+    if (oldOptions & JSOPTION_JIT)
+        cx->options |= JSOPTION_JIT;
+#endif
+
     return ok;
 }
 
@@ -1536,15 +1554,12 @@ js_Execute(JSContext *cx, JSObject *chain, JSScript *script,
 
 #ifdef JS_TRACER
     /* 
-     * The JIT requires that the scope chain here is equal to
-     * its global object. Disable the JIT for this call if this 
-     * condition is not true. 
+     * The JIT requires that the scope chain here is equal to its global
+     * object. Disable the JIT for this call if this condition is not true.
      */
     uint32 oldOptions = cx->options;
-    if ((oldOptions & JSOPTION_JIT) &&
-        chain != JS_GetGlobalForObject(cx, chain)) {
+    if ((oldOptions & JSOPTION_JIT) && chain != JS_GetGlobalForObject(cx, chain))
         cx->options &= ~JSOPTION_JIT;
-    }
 #endif
 
 #ifdef INCLUDE_MOZILLA_DTRACE