Bug 525028: don't set args object properties from trace, r=dvander

js/src/jsfun.cpp

@@ -555,17 +555,21 @@ ArgGetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp)
 static JSBool
 ArgSetter(JSContext *cx, JSObject *obj, jsval idval, jsval *vp)
 {
+    // To be able to set a property here on trace, we would have to make
+    // sure any updates also get written back to the trace native stack.
+    // For simplicity, we just leave trace, since this is presumably not
+    // a common operation.
+    if (JS_ON_TRACE(cx)) {
+        js_DeepBail(cx);
+        return false;
+    }
+
     if (!JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL))
         return true;
 
     if (JSVAL_IS_INT(idval)) {
         uintN arg = uintN(JSVAL_TO_INT(idval));
         if (arg < GetArgsLength(obj)) {
-            if (js_GetArgsPrivateNative(obj)) {
-                js_LeaveTrace(cx);
-                return false;
-            }
-
             JSStackFrame *fp = (JSStackFrame *) obj->getPrivate();
             if (fp) {
                 fp->argv[arg] = *vp;

js/src/jstracer.cpp

@@ -11827,6 +11827,9 @@ TraceRecorder::record_JSOP_SETELEM()
     LIns* idx_ins = get(&idx);
     LIns* v_ins = get(&v);
 
+    if (JS_InstanceOf(cx, obj, &js_ArgumentsClass, NULL))
+        RETURN_STOP_A("can't trace setting elements of the |arguments| object");
+
     if (!JSVAL_IS_INT(idx)) {
         if (!JSVAL_IS_PRIMITIVE(idx))
             RETURN_STOP_A("non-primitive index");