Bugs, bugs bugs:

- js_DecompileValueGenerator had rusted due to bytecode/source-note changes,
  or maybe parts of it never worked right.  Anyway, it now does not induce a
  crashing underflow in the decompiler.  As part of this fix, it now takes a
  checkStack flag telling whether to look for the jsval v argument on the JS
  stack.  The calls from ImportProperty, js_SetProperty, and js_DeleteProperty
  pass in v a jsval for the property id, which should not be sought after on
  the stack (it might happen to be there due to o['p'] = 2, but we want to
  decompile o["p"], not "p").
- js_DecompileValueGenerator would load a generating pc even if the value v
  did not match the pc's corresponding stack item!  Oops.  This lead to less
  than idea diagnostics.
- js_DecompileValueGenerator was also not mapping JSOP_TRAP to the real op at
  a sufficiently early and univeral point in its control flow.
- Fix PopOff to assert and check for stack underflow in the decompiler, and
  beef up PushOff too (it asserted, but did not check).
- js_ReportIsNotFunction now avoids JS_InternString by indexing directly into
  cx->runtime->atomState.typeAtoms with the result of JS_TypeOfValue.
- Removed unnecessary local GC root reserved by non-zero trailing member of
  obj_eval's JSFunctionSpec initializer.

js/src/jsopcode.h

@@ -181,10 +181,12 @@ js_DecompileFunction(JSPrinter *jp, JSFunction *fun, JSBool newlines);
 /*
  * Find the source expression that resulted in v, and return a new string
  * containing it.  Fall back on v's string conversion if we can't find the
- * bytecode that generated and pushed v on the operand stack.
+ * bytecode that generated and pushed v on the operand stack.  Don't look
+ * for v on the stack if checkStack is false.
  */
 extern JSString *
-js_DecompileValueGenerator(JSContext *cx, jsval v, JSString *fallback);
+js_DecompileValueGenerator(JSContext *cx, JSBool checkStack, jsval v,
+			   JSString *fallback);
 
 JS_END_EXTERN_C