Fix for regression from 288688's patch (288818, tachyonal r=shaver/sr=dbaron).

js/src/jsstr.c

@@ -1390,13 +1390,9 @@ find_replen(JSContext *cx, ReplaceData *rdata, size_t *sizep)
          * clobbered by a RegExp usage in the lambda function.  Note that all
          * members of JSRegExpStatics are JSSubStrings, so not GC roots, save
          * input, which is rooted otherwise via argv[-1] in str_replace.
-         *
-         * We need to clear moreParens in the top-of-stack cx->regExpStatics
-         * to it won't be possibly realloc'ed, leaving the bottom-of-stack
-         * moreParens pointing to freed memory.
          */
         JSRegExpStatics save = cx->regExpStatics;
-        cx->regExpStatics.moreParens = NULL;
+        JSBool freeMoreParens = JS_FALSE;
 
         /*
          * In the lambda case, not only do we find the replacement string's
@@ -1439,6 +1435,14 @@ find_replen(JSContext *cx, ReplaceData *rdata, size_t *sizep)
         for (j = 0; i < m; i++, j++)
             PUSH_REGEXP_STATIC(moreParens[j]);
 
+        /*
+         * We need to clear moreParens in the top-of-stack cx->regExpStatics
+         * to it won't be possibly realloc'ed, leaving the bottom-of-stack
+         * moreParens pointing to freed memory.
+         */
+        cx->regExpStatics.moreParens = NULL;
+        freeMoreParens = JS_TRUE;
+
 #undef PUSH_REGEXP_STATIC
 
         /* Make sure to push undefined for any unmatched parens. */
@@ -1474,7 +1478,8 @@ find_replen(JSContext *cx, ReplaceData *rdata, size_t *sizep)
 
       lambda_out:
         js_FreeStack(cx, mark);
-        JS_free(cx, cx->regExpStatics.moreParens);  /* JS_free is null-safe */
+        if (freeMoreParens)
+            JS_free(cx, cx->regExpStatics.moreParens);
         cx->regExpStatics = save;
         return ok;
     }