From 2900e47cec38755348cfcfa9830cd1b5c8abd3b2 Mon Sep 17 00:00:00 2001
From: Ryan VanderMeulen <ryanvm@gmail.com>
Date: Tue, 23 Jun 2015 16:27:49 -0400
Subject: [PATCH] Backed out changeset fe813debcd79 (bug 1172498) for crashes.
 CLOSED TREE

---
 js/src/jit-test/tests/ion/bug1172498.js |  3 ---
 js/src/jit/JitFrames.cpp                | 13 +++----------
 2 files changed, 3 insertions(+), 13 deletions(-)
 delete mode 100644 js/src/jit-test/tests/ion/bug1172498.js

diff --git a/js/src/jit-test/tests/ion/bug1172498.js b/js/src/jit-test/tests/ion/bug1172498.js
deleted file mode 100644
index 705cc109b83a..000000000000
--- a/js/src/jit-test/tests/ion/bug1172498.js
+++ /dev/null
@@ -1,3 +0,0 @@
-for(var e=1; e<10000; e++) {
-  new (function  (c) { eval("var y"); });
-}
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
index 128670abbf5c..54b7a3ccd6c2 100644
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -11,7 +11,6 @@
 #include "jsfun.h"
 #include "jsobj.h"
 #include "jsscript.h"
-#include "jsutil.h"
 
 #include "gc/Marking.h"
 #include "jit/BaselineDebugModeOSR.h"
@@ -1048,11 +1047,9 @@ MarkThisAndArguments(JSTracer* trc, JitFrameLayout* layout)
 
     size_t nargs = layout->numActualArgs();
     size_t nformals = 0;
-    size_t newTargetOffset = 0;
     if (CalleeTokenIsFunction(layout->calleeToken())) {
         JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
         nformals = fun->nonLazyScript()->argumentsHasVarBinding() ? 0 : fun->nargs();
-        newTargetOffset = Max(nargs, fun->nargs());
     }
 
     Value* argv = layout->argv();
@@ -1060,14 +1057,10 @@ MarkThisAndArguments(JSTracer* trc, JitFrameLayout* layout)
     // Trace |this|.
     TraceRoot(trc, argv, "ion-thisv");
 
-    // Trace actual arguments beyond the formals. Note + 1 for thisv.
-    for (size_t i = nformals + 1; i < nargs + 1; i++)
+    // Trace actual arguments and newTarget beyond the formals. Note + 1 for thisv.
+    bool constructing = CalleeTokenIsConstructing(layout->calleeToken());
+    for (size_t i = nformals + 1; i < nargs + 1 + constructing; i++)
         TraceRoot(trc, &argv[i], "ion-argv");
-
-    // Always mark the new.target from the frame. It's not in the snapshots.
-    // +1 to pass |this|
-    if (CalleeTokenIsConstructing(layout->calleeToken()))
-        TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
 }
 
 static void