Bug 554670: abort tracing on out-of-range args element read

js/src/jstracer.cpp

@@ -11751,10 +11751,9 @@ TraceRecorder::record_JSOP_GETELEM()
             uintN int_idx = JSVAL_TO_INT(idx);
             jsval* vp = &afp->argv[int_idx];
             if (idx_ins->isconstf()) {
-                if (int_idx >= 0 && int_idx < afp->argc)
-                    v_ins = get(vp);
-                else
-                    v_ins = INS_VOID();
+                if (int_idx < 0 || int_idx >= afp->argc)
+                    RETURN_STOP_A("cannot trace arguments with out of range index");
+                v_ins = get(vp);
             } else {
                 // If the index is not a constant expression, we generate LIR to load the value from
                 // the native stack area. The guard on js_ArgumentClass above ensures the up-to-date

js/src/trace-test/tests/arguments/bug554670-1.js

@@ -0,0 +1,8 @@
+x = true;
+(function() {
+  for each(let c in [0, x]) {
+    (arguments)[4] *= c
+  }
+})()
+
+// don't assert

js/src/trace-test/tests/arguments/bug554670-2.js

@@ -0,0 +1,8 @@
+var c;
+(function() {
+  for each(e in [0, 0]) {
+    (arguments)[1] *= c
+  }
+})()
+
+// don't assert