Bug 625333 - tracer generated code reads stack memory it didn't write. r=lw.

js/src/jsbuiltins.cpp

@@ -167,6 +167,12 @@ js_DoubleToUint32(jsdouble d)
 }
 JS_DEFINE_CALLINFO_1(extern, UINT32, js_DoubleToUint32, DOUBLE, 1, ACCSET_NONE)
 
+/*
+ * js_StringToNumber and js_StringToInt32 store into their second argument, so
+ * they need to be annotated accordingly.  To be future-proof, we use
+ * ACCSET_STORE_ANY so that new callers don't have to remember to update the
+ * annotation.
+ */
 jsdouble FASTCALL
 js_StringToNumber(JSContext* cx, JSString* str, JSBool *ok)
 {
@@ -174,7 +180,8 @@ js_StringToNumber(JSContext* cx, JSString* str, JSBool *ok)
     *ok = StringToNumberType<jsdouble>(cx, str, &out);
     return out;
 }
-JS_DEFINE_CALLINFO_3(extern, DOUBLE, js_StringToNumber, CONTEXT, STRING, BOOLPTR, 1, ACCSET_NONE)
+JS_DEFINE_CALLINFO_3(extern, DOUBLE, js_StringToNumber, CONTEXT, STRING, BOOLPTR,
+                     0, ACCSET_STORE_ANY)
 
 int32 FASTCALL
 js_StringToInt32(JSContext* cx, JSString* str, JSBool *ok)
@@ -183,7 +190,8 @@ js_StringToInt32(JSContext* cx, JSString* str, JSBool *ok)
     *ok = StringToNumberType<int32>(cx, str, &out);
     return out;
 }
-JS_DEFINE_CALLINFO_3(extern, INT32, js_StringToInt32, CONTEXT, STRING, BOOLPTR, 1, ACCSET_NONE)
+JS_DEFINE_CALLINFO_3(extern, INT32, js_StringToInt32, CONTEXT, STRING, BOOLPTR,
+                     0, ACCSET_STORE_ANY)
 
 /* Nb: it's always safe to set isDefinitelyAtom to false if you're unsure or don't know. */
 static inline JSBool