From 663c1017db4c9c29fe5f3ac9ba1c38626424886e Mon Sep 17 00:00:00 2001
From: Andreas Gal <gal@mozilla.com>
Date: Wed, 24 Sep 2008 16:45:27 -0700
Subject: [PATCH] Only fasttrack applys where the arguments array has the same
 lengths as the expected arguments of the called function (456494, r=brendan).

---
 js/src/jstracer.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index 9189c45a18b0..6bb4413e294b 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -4927,8 +4927,10 @@ TraceRecorder::record_JSOP_CALL()
             if (!FUN_INTERPRETED(tfun))
                 ABORT_TRACE("can't trace Function.prototype.apply(native_function, arguments)");
 
+            // We can only fasttrack applys where the argument array we pass in has the
+            // same length (fp->argc) as the number of arguments the function expects (tfun->nargs).
             argc = fp->argc;
-            if (tfun->nargs != argc)
+            if (tfun->nargs != argc || fp->fun->nargs != argc)
                 ABORT_TRACE("can't trace Function.prototype.apply(scripted_function, arguments)");
 
             jsval* sp = fp->regs->sp - 4;