From 2cd6daa202c42a174865c3084b995b31a56f415e Mon Sep 17 00:00:00 2001
From: Bill McCloskey <wmccloskey@mozilla.com>
Date: Wed, 22 Feb 2012 10:39:58 -0800
Subject: [PATCH] Bug 728190 - Update stack later in Arguments (r=bhackett)

---
 js/src/jit-test/tests/basic/bug728190.js | 23 +++++++++++++++++++++++
 js/src/methodjit/StubCalls.cpp           |  5 +++--
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 js/src/jit-test/tests/basic/bug728190.js

diff --git a/js/src/jit-test/tests/basic/bug728190.js b/js/src/jit-test/tests/basic/bug728190.js
new file mode 100644
index 000000000000..6ce7bbb0d5fc
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug728190.js
@@ -0,0 +1,23 @@
+
+function TestCase(n, d, e, a) {}
+var lfcode = new Array();
+lfcode.push("");
+lfcode.push("\
+  var summary = 'foo';\
+  test();\
+  function test() {\
+    test(\"TEST-UNEXPECTED-FAIL | TestPerf | \" + summary);\
+  }\
+");
+lfcode.push("gczeal(2);");
+lfcode.push("\
+  new TestCase(TestFunction_3( \"P\", \"A\", \"S\", \"S\" ) +\"\");\
+  new TestCase(TestFunction_4( \"F\", \"A\", (\"length\"), \"L\" ) +\"\");\
+  function TestFunction_3( a, b, c, d, e ) {\
+    TestFunction_3(arguments);\
+  }\
+");
+while (true) {
+        var file = lfcode.shift(); if (file == undefined) { break; }
+        try { evaluate(file); } catch (lfVare) {}
+}
diff --git a/js/src/methodjit/StubCalls.cpp b/js/src/methodjit/StubCalls.cpp
index 3645a642dcac..7f5ed1c483c4 100644
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -1363,9 +1363,10 @@ stubs::FlatLambda(VMFrame &f, JSFunction *fun)
 void JS_FASTCALL
 stubs::Arguments(VMFrame &f)
 {
-    f.regs.sp++;
-    if (!js_GetArgsValue(f.cx, f.fp(), &f.regs.sp[-1]))
+    Value argsobj;
+    if (!js_GetArgsValue(f.cx, f.fp(), &argsobj))
         THROW();
+    f.regs.sp[0] = argsobj;
 }
 
 JSBool JS_FASTCALL