1 files changed, 23 insertions, 13 deletions

diff --git a/js/src/jit/Trampoline.cpp b/js/src/jit/Trampoline.cpp
index 85661784a7..e6d0cd31c9 100644
--- a/js/src/jit/Trampoline.cpp
+++ b/js/src/jit/Trampoline.cpp
@@ -96,18 +96,13 @@ void JitRuntime::generateProfilerExitFrameTailStub(MacroAssembler& masm,
   // |
   // ^--- IonICCall <---- Ion
   // |
-  // ^--- Arguments Rectifier
-  // |    ^
-  // |    |
-  // |    ^--- Ion
-  // |    |
-  // |    ^--- Baseline Stub <---- Baseline
-  // |    |
-  // |    ^--- Entry Frame (CppToJSJit or WasmToJSJit)
+  // ^--- Entry Frame (BaselineInterpreter) (unwrapped)
   // |
-  // ^--- Entry Frame (CppToJSJit or WasmToJSJit)
+  // ^--- Arguments Rectifier (unwrapped)
+  // |
+  // ^--- Trampoline Native (unwrapped)
   // |
-  // ^--- Entry Frame (BaselineInterpreter)
+  // ^--- Entry Frame (CppToJSJit or WasmToJSJit)
   //
   // NOTE: Keep this in sync with JSJitProfilingFrameIterator::moveToNextFrame!
 
@@ -153,6 +148,7 @@ void JitRuntime::generateProfilerExitFrameTailStub(MacroAssembler& masm,
   Label handle_BaselineOrIonJS;
   Label handle_BaselineStub;
   Label handle_Rectifier;
+  Label handle_TrampolineNative;
   Label handle_BaselineInterpreterEntry;
   Label handle_IonICCall;
   Label handle_Entry;
@@ -176,6 +172,8 @@ void JitRuntime::generateProfilerExitFrameTailStub(MacroAssembler& masm,
                 &handle_BaselineOrIonJS);
   masm.branch32(Assembler::Equal, scratch, Imm32(FrameType::IonICCall),
                 &handle_IonICCall);
+  masm.branch32(Assembler::Equal, scratch, Imm32(FrameType::TrampolineNative),
+                &handle_TrampolineNative);
   masm.branch32(Assembler::Equal, scratch, Imm32(FrameType::WasmToJSJit),
                 &handle_Entry);
 
@@ -237,9 +235,21 @@ void JitRuntime::generateProfilerExitFrameTailStub(MacroAssembler& masm,
     // There can be multiple previous frame types so just "unwrap" the arguments
     // rectifier frame and try again.
     masm.loadPtr(Address(fpScratch, CallerFPOffset), fpScratch);
-    emitAssertPrevFrameType(fpScratch, scratch,
-                            {FrameType::IonJS, FrameType::BaselineStub,
-                             FrameType::CppToJSJit, FrameType::WasmToJSJit});
+    emitAssertPrevFrameType(
+        fpScratch, scratch,
+        {FrameType::IonJS, FrameType::BaselineStub, FrameType::TrampolineNative,
+         FrameType::CppToJSJit, FrameType::WasmToJSJit});
+    masm.jump(&again);
+  }
+
+  masm.bind(&handle_TrampolineNative);
+  {
+    // Unwrap this frame, similar to arguments rectifier frames.
+    masm.loadPtr(Address(fpScratch, CallerFPOffset), fpScratch);
+    emitAssertPrevFrameType(
+        fpScratch, scratch,
+        {FrameType::IonJS, FrameType::BaselineStub, FrameType::Rectifier,
+         FrameType::CppToJSJit, FrameType::WasmToJSJit});
     masm.jump(&again);
   }