From bd00a15d851dbc5e99b1d3d400d28f010aaa41dd Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Fri, 14 Dec 2012 13:48:46 -0600
Subject: [PATCH] Bug 745194 - [jsdbg2] Crash on Heap, trying to execute NULL,
 with Debugger forced return, methodjit, and GC. r=bhackett.

--HG--
extra : rebase_source : f5dbf256b10161f0859df94dcccec123415d7a4b
---
 .../debug/Debugger-onEnterFrame-resumption-06.js | 13 +++++++++++++
 .../debug/Debugger-onEnterFrame-resumption-07.js | 16 ++++++++++++++++
 js/src/methodjit/InvokeHelpers.cpp               |  7 +++++++
 3 files changed, 36 insertions(+)
 create mode 100644 js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js
 create mode 100644 js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js

diff --git a/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js
new file mode 100644
index 00000000000..44665175c65
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-06.js
@@ -0,0 +1,13 @@
+// |jit-test| mjitalways
+// Bug 745194.
+
+var g = newGlobal('new-compartment');
+var dbg = Debugger(g);
+g.eval("function f() {}");
+dbg.onEnterFrame = function (frame) {
+    if (frame.type == 'call') {
+        gc();
+        return { return: 'PASS' };
+    }
+};
+assertEq(g.eval("f()"), 'PASS');
diff --git a/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js
new file mode 100644
index 00000000000..fdc969429f6
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Debugger-onEnterFrame-resumption-07.js
@@ -0,0 +1,16 @@
+// |jit-test| mjitalways
+// Bug 745194.
+
+var g = newGlobal('new-compartment');
+g.eval("function f() {}" +
+       "function h() { return new f; }");
+var dbg = Debugger(g);
+dbg.onEnterFrame = function (frame) {
+    if (frame.constructing) {
+        gc();
+        return { return: 0 };
+    }
+};
+var result = g.eval("h()");
+assertEq(typeof result, 'object');
+assertEq(Object.getPrototypeOf(result), g.f.prototype);
diff --git a/js/src/methodjit/InvokeHelpers.cpp b/js/src/methodjit/InvokeHelpers.cpp
index dd1cbe6a80b..675979b3ce7 100644
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -668,12 +668,19 @@ stubs::ScriptDebugPrologue(VMFrame &f)
     switch (status) {
       case JSTRAP_CONTINUE:
         break;
+
       case JSTRAP_RETURN:
+        if (!f.fp()->nativeReturnAddress()) {
+            // ClearAllFrames was called. Resume in the interpreter.
+            f.fp()->setNativeReturnAddress(JS_FUNC_TO_DATA_PTR(void *, JaegerInterpolineScripted));
+        }
         *f.returnAddressLocation() = f.cx->jaegerRuntime().forceReturnFromFastCall();
         return;
+
       case JSTRAP_ERROR:
       case JSTRAP_THROW:
         THROW();
+
       default:
         JS_NOT_REACHED("bad ScriptDebugPrologue status");
     }