Bug 546615 - Crash [@ BindNameToSlot] or "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp". r=brendan.
authorJason Orendorff <jorendorff@mozilla.com>
Thu, 18 Feb 2010 16:01:25 -0600
changeset 38596 36487442aeb0aac85d17a8c95a1168301b20b2b1
parent 38595 3b25677f1feedc46d2f92924b29c5afdd2416ffa
child 38597 9b9745f43c782c015043516dac59ac1dc6647b88
push idunknown
push userunknown
push dateunknown
reviewersbrendan
bugs546615
milestone1.9.3a2pre
Bug 546615 - Crash [@ BindNameToSlot] or "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp". r=brendan.
js/src/jsparse.cpp
js/src/tests/js1_8_5/regress/regress-546615.js
--- a/js/src/jsparse.cpp
+++ b/js/src/jsparse.cpp
@@ -7461,37 +7461,37 @@ AttributeIdentifier(JSContext *cx, JSTok
 
 /*
  * Make a TOK_LC unary node whose pn_kid is an expression.
  */
 static JSParseNode *
 XMLExpr(JSContext *cx, JSTokenStream *ts, JSBool inTag, JSTreeContext *tc)
 {
     JSParseNode *pn, *pn2;
-    uintN oldflags;
+    uintN oldflag;
 
     JS_ASSERT(CURRENT_TOKEN(ts).type == TOK_LC);
     pn = NewParseNode(PN_UNARY, tc);
     if (!pn)
         return NULL;
 
     /*
-     * Turn off XML tag mode, but don't restore it after parsing this braced
-     * expression.  Instead, simply restore ts's old flags.  This is required
-     * because XMLExpr is called both from within a tag, and from within text
-     * contained in an element, but outside of any start, end, or point tag.
+     * Turn off XML tag mode. We save the old value of the flag because it may
+     * already be off: XMLExpr is called both from within a tag, and from
+     * within text contained in an element, but outside of any start, end, or
+     * point tag.
      */
-    oldflags = ts->flags;
-    ts->flags = oldflags & ~TSF_XMLTAGMODE;
+    oldflag = ts->flags & TSF_XMLTAGMODE;
+    ts->flags &= ~TSF_XMLTAGMODE;
     pn2 = Expr(cx, ts, tc);
     if (!pn2)
         return NULL;
 
     MUST_MATCH_TOKEN(TOK_RC, JSMSG_CURLY_IN_XML_EXPR);
-    ts->flags = oldflags;
+    ts->flags |= oldflag;
     pn->pn_kid = pn2;
     pn->pn_op = inTag ? JSOP_XMLTAGEXPR : JSOP_XMLELTEXPR;
     return pn;
 }
 
 /*
  * Make a terminal node for one of TOK_XMLNAME, TOK_XMLATTR, TOK_XMLSPACE,
  * TOK_XMLTEXT, TOK_XMLCDATA, TOK_XMLCOMMENT, or TOK_XMLPI.  When converting
new file mode 100644
--- /dev/null
+++ b/js/src/tests/js1_8_5/regress/regress-546615.js
@@ -0,0 +1,14 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ * Contributors: Gary Kwong and Jason Orendorff
+ */
+gTestfile = 'regress-546615';
+
+try {
+    <y a={0
+           }/>;/*7890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901*/x(x
+        for(x in z));
+} catch (exc) {}
+
+reportCompare("no crash", "no crash", "Don't crash due to incorrect column numbers in long lines starting in XML.");