From 5648bbb12ac225d3b13b13bc8e030c17c91260ef Mon Sep 17 00:00:00 2001 From: Brendan Eich Date: Fri, 15 May 2009 17:13:34 -0700 Subject: [PATCH] Bug 493177 - Browser crashes in loading of certain page.[@ js_Interpret] (r=mrbkap). --- js/src/jsemit.cpp | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/js/src/jsemit.cpp b/js/src/jsemit.cpp index df325e8da929..fab39d011595 100644 --- a/js/src/jsemit.cpp +++ b/js/src/jsemit.cpp @@ -1847,10 +1847,26 @@ MakeUpvarForEval(JSParseNode *pn, JSCodeGenerator *cg) uintN upvarLevel = fun->u.i.script->staticLevel; JSFunctionBox *funbox = cg->funbox; - while (funbox && funbox->level >= upvarLevel) { - if (funbox->node->pn_dflags & PND_FUNARG) + if (funbox) { + /* + * Treat top-level function definitions as escaping (i.e., as funargs), + * required since we compile each such top level function or statement + * and throw away the AST, so we can't yet see all funarg uses of this + * function being compiled (cg->funbox->object). See bug 493177. + */ + if (funbox->level == fun->u.i.script->staticLevel + 1U && + !(((JSFunction *) funbox->object)->flags & JSFUN_LAMBDA)) { + JS_ASSERT(((JSFunction *) funbox->object)->atom); return true; - funbox = funbox->parent; + } + + while (funbox->level >= upvarLevel) { + if (funbox->node->pn_dflags & PND_FUNARG) + return true; + funbox = funbox->parent; + if (!funbox) + break; + } } JSContext *cx = cg->compiler->context;