Bug 493177 - Browser crashes in loading of certain page.[@ js_Interpret] (r=mrbkap; take 2).
authorBrendan Eich <brendan@mozilla.org>
Fri, 15 May 2009 17:38:38 -0700
changeset 28445 c852a6b9b9d24cfaa734366695bab0613f35d261
parent 28444 ec4f89494fa586ff4cd4a8be70bf397f54069454
child 28446 c12c8651c10d6a4bcc688e5bac2eaeb2faa3ca1f
push id7066
push userrsayre@mozilla.com
push dateSat, 16 May 2009 17:05:13 +0000
treeherdermozilla-central@d35b4d003e9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap, take
bugs493177
milestone1.9.2a1pre
Bug 493177 - Browser crashes in loading of certain page.[@ js_Interpret] (r=mrbkap; take 2).
js/src/jsemit.cpp
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -1838,27 +1838,44 @@ EmitEnterBlock(JSContext *cx, JSParseNod
  * This function knows that it is called with pn pointing to a PN_NAME-arity
  * node, and cg->compiler->callerFrame having a non-null fun member, and the
  * static level of cg at least one greater than the eval-calling function's
  * static level.
  */
 static bool
 MakeUpvarForEval(JSParseNode *pn, JSCodeGenerator *cg)
 {
+    JSContext *cx = cg->compiler->context;
     JSFunction *fun = cg->compiler->callerFrame->fun;
     uintN upvarLevel = fun->u.i.script->staticLevel;
 
     JSFunctionBox *funbox = cg->funbox;
-    while (funbox && funbox->level >= upvarLevel) {
-        if (funbox->node->pn_dflags & PND_FUNARG)
+    if (funbox) {
+        /*
+         * Treat top-level function definitions as escaping (i.e., as funargs),
+         * required since we compile each such top level function or statement
+         * and throw away the AST, so we can't yet see all funarg uses of this
+         * function being compiled (cg->funbox->object). See bug 493177.
+         */
+        if (funbox->level == fun->u.i.script->staticLevel + 1U &&
+            !(((JSFunction *) funbox->object)->flags & JSFUN_LAMBDA)) {
+            JS_ASSERT_IF(cx->options & JSOPTION_ANONFUNFIX,
+                         ((JSFunction *) funbox->object)->atom);
             return true;
-        funbox = funbox->parent;
+        }
+
+        while (funbox->level >= upvarLevel) {
+            if (funbox->node->pn_dflags & PND_FUNARG)
+                return true;
+            funbox = funbox->parent;
+            if (!funbox)
+                break;
+        }
     }
 
-    JSContext *cx = cg->compiler->context;
     JSAtom *atom = pn->pn_atom;
 
     uintN index;
     JSLocalKind localKind = js_LookupLocal(cx, fun, atom, &index);
     if (localKind == JSLOCAL_NONE)
         return true;
 
     JS_ASSERT(cg->staticLevel > upvarLevel);