[INFER] Don't try to fixup doubles on adjusted frame in call path, bug 649769.

js/src/jit-test/tests/jaeger/recompile/bug649769.js

@@ -0,0 +1,16 @@
+
+function g(x) {
+    if (!x) {
+        throw 1;
+    }
+}
+
+function f(a, b, c, d) {
+    var x = [].push(3);
+    g(true);
+    assertEq(x, 1);
+}
+f(1.2, 2, 3, 4);
+gc();
+f(1, 2, 3, 4);
+

js/src/methodjit/Compiler.cpp

@@ -2062,6 +2062,7 @@ mjit::Compiler::generateMethod()
                     stubcc.masm.move(Imm32(frameSize.staticArgc()), JSParamReg_Argc);
                 else
                     stubcc.masm.load32(FrameAddress(offsetof(VMFrame, u.call.dynamicArgc)), JSParamReg_Argc);
+                stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, regs.sp)), JSFrameReg);
 
                 CallPatchInfo callPatch;
                 callPatch.hasSlowNcode = true;
@@ -3291,8 +3292,7 @@ mjit::Compiler::emitUncachedCall(uint32 argc, bool callingNew)
 
     Jump notCompiled = masm.branchTestPtr(Assembler::Zero, r0, r0);
 
-    if (!cx->typeInferenceEnabled())
-        masm.loadPtr(FrameAddress(offsetof(VMFrame, regs.fp)), JSFrameReg);
+    masm.loadPtr(FrameAddress(offsetof(VMFrame, regs.sp)), JSFrameReg);
 
     callPatch.hasFastNcode = true;
     callPatch.fastNcodePatch =
@@ -3679,8 +3679,7 @@ mjit::Compiler::inlineCallHelper(uint32 callImmArgc, bool callingNew, FrameSize
             stubcc.masm.move(Imm32(callIC.frameSize.staticArgc()), JSParamReg_Argc);
         else
             stubcc.masm.load32(FrameAddress(offsetof(VMFrame, u.call.dynamicArgc)), JSParamReg_Argc);
-        if (!cx->typeInferenceEnabled())
-            stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, regs.fp)), JSFrameReg);
+        stubcc.masm.loadPtr(FrameAddress(offsetof(VMFrame, regs.sp)), JSFrameReg);
         callPatch.hasSlowNcode = true;
         callPatch.slowNcodePatch =
             stubcc.masm.storePtrWithPatch(ImmPtr(NULL),

js/src/methodjit/InvokeHelpers.cpp

@@ -428,6 +428,14 @@ UncachedInlineCall(VMFrame &f, uint32 flags, void **pret, bool *unjittable, uint
     if (!newType) {
         if (JITScript *jit = newscript->getJIT(newfp->isConstructing())) {
             *pret = jit->invokeEntry;
+
+            /*
+             * Keep the old fp around and let the JIT code repush it. If we are
+             * rejoining into a recompiled frame then the code patching up
+             * doubles needs to see the calling script's frame.
+             */
+            f.regs.sp = (Value *) f.regs.fp;
+            f.regs.fp = f.regs.fp->prev();
             return true;
         }
     }