Bug 493177 - Browser crashes in loading of certain page.[@ js_Interpret] (r=mrbkap).

2024-12-04 19:33:18 +00:00 · 2009-05-15 17:13:34 -07:00 · 2009-05-15 17:13:34 -07:00 · 5648bbb12a
commit 5648bbb12a
parent 9e84859560
1 changed files with 19 additions and 3 deletions
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@ -1847,10 +1847,26 @@ MakeUpvarForEval(JSParseNode *pn, JSCodeGenerator *cg)
    uintN upvarLevel = fun->u.i.script->staticLevel;

    JSFunctionBox *funbox = cg->funbox;
-    while (funbox && funbox->level >= upvarLevel) {
-        if (funbox->node->pn_dflags & PND_FUNARG)
+    if (funbox) {
+        /*
+         * Treat top-level function definitions as escaping (i.e., as funargs),
+         * required since we compile each such top level function or statement
+         * and throw away the AST, so we can't yet see all funarg uses of this
+         * function being compiled (cg->funbox->object). See bug 493177.
+         */
+        if (funbox->level == fun->u.i.script->staticLevel + 1U &&
+            !(((JSFunction *) funbox->object)->flags & JSFUN_LAMBDA)) {
+            JS_ASSERT(((JSFunction *) funbox->object)->atom);
            return true;
-        funbox = funbox->parent;
+        }
+
+        while (funbox->level >= upvarLevel) {
+            if (funbox->node->pn_dflags & PND_FUNARG)
+                return true;
+            funbox = funbox->parent;
+            if (!funbox)
+                break;
+        }
    }

    JSContext *cx = cg->compiler->context;