From 2e279d462625df601152175e05cdcda29d8c8b44 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Wed, 3 Jul 2013 14:34:11 +0200
Subject: [PATCH] Bug 886277. r=djvj

---
 js/src/ion/IonFrames.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/js/src/ion/IonFrames.cpp b/js/src/ion/IonFrames.cpp
index ffe558425318..94cf44c52c6c 100644
--- a/js/src/ion/IonFrames.cpp
+++ b/js/src/ion/IonFrames.cpp
@@ -411,6 +411,13 @@ HandleException(JSContext *cx, const IonFrameIterator &frame, ResumeFromExceptio
         if (pcOffset >= tn->start + tn->length)
             continue;
 
+        // Skip if the try note's stack depth exceeds the frame's stack depth.
+        // See the big comment in TryNoteIter::settle for more info.
+        JS_ASSERT(frame.baselineFrame()->numValueSlots() >= script->nfixed);
+        size_t stackDepth = frame.baselineFrame()->numValueSlots() - script->nfixed;
+        if (tn->stackDepth > stackDepth)
+            continue;
+
         // Unwind scope chain (pop block objects).
         if (cx->isExceptionPending())
             UnwindScope(cx, frame.baselineFrame(), tn->stackDepth);