From 55e82e734aec95b58aab31e56aeb9145991d00eb Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Fri, 17 Oct 2014 10:16:38 +0100
Subject: [PATCH] Bug 1083716 - This value for scripts not marked in Ion frame
 r=nbp

---
 js/src/jit/IonFrames.cpp | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp
index 3fc603d735ef..3f2a9a53ebff 100644
--- a/js/src/jit/IonFrames.cpp
+++ b/js/src/jit/IonFrames.cpp
@@ -869,12 +869,16 @@ ReadAllocation(const JitFrameIterator &frame, const LAllocation *a)
 #endif
 
 static void
-MarkActualArguments(JSTracer *trc, const JitFrameIterator &frame)
+MarkFrameAndActualArguments(JSTracer *trc, const JitFrameIterator &frame)
 {
+    // The trampoline produced by |generateEnterJit| is pushing |this| on the
+    // stack, as requested by |setEnterJitData|.  Thus, this function is also
+    // used for marking the |this| value of the top-level frame.
+
     IonJSFrameLayout *layout = frame.jsFrame();
-    MOZ_ASSERT(CalleeTokenIsFunction(layout->calleeToken()));
 
     size_t nargs = frame.numActualArgs();
+    MOZ_ASSERT_IF(!CalleeTokenIsFunction(layout->calleeToken()), nargs == 0);
 
     // Trace function arguments. Note + 1 for thisv.
     Value *argv = layout->argv();
@@ -919,8 +923,7 @@ MarkIonJSFrame(JSTracer *trc, const JitFrameIterator &frame)
         ionScript = frame.ionScriptFromCalleeToken();
     }
 
-    if (CalleeTokenIsFunction(layout->calleeToken()))
-        MarkActualArguments(trc, frame);
+    MarkFrameAndActualArguments(trc, frame);
 
     const SafepointIndex *si = ionScript->getSafepointIndex(frame.returnAddressToFp());