Fix Zimbra indirect eval crash. r=brendan
authorBlake Kaplan <mrbkap@gmail.com>
Tue, 29 Sep 2009 10:03:42 -0700
changeset 33271 eec5815b761f61c62b28770a2b59c4d84de55fcd
parent 33270 bb2505a8073056a6f25a83faa73d5fbbfcd2f325
child 33272 df6c8194f8c7d81eca66ffb1b9702dde820daf82
push idunknown
push userunknown
push dateunknown
reviewersbrendan
milestone1.9.3a1pre
Fix Zimbra indirect eval crash. r=brendan
js/src/jsobj.cpp
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1236,17 +1236,17 @@ EvalCacheHash(JSContext *cx, JSString *s
     h *= JS_GOLDEN_RATIO;
     h >>= 32 - JS_EVAL_CACHE_SHIFT;
     return &JS_SCRIPTS_TO_GC(cx)[h];
 }
 
 static JSBool
 obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
-    JSStackFrame *fp, *caller;
+    JSStackFrame *fp, *caller, *callerFrame;
     JSBool indirectCall;
     uint32 tcflags;
     JSPrincipals *principals;
     const char *file;
     uintN line;
     JSString *str;
     JSScript *script;
     JSBool ok;
@@ -1472,18 +1472,18 @@ obj_eval(JSContext *cx, JSObject *obj, u
                 script = NULL;
                 break;
             }
             EVAL_CACHE_METER(step);
             scriptp = &script->u.nextToGC;
         }
     }
 
+    callerFrame = (staticLevel != 0) ? caller : NULL;
     if (!script) {
-        JSStackFrame *callerFrame = (staticLevel != 0) ? caller : NULL;
         script = JSCompiler::compileScript(cx, scopeobj, callerFrame,
                                            principals, tcflags,
                                            str->chars(), str->length(),
                                            NULL, file, line, str);
         if (!script) {
             ok = JS_FALSE;
             goto out;
         }
@@ -1496,17 +1496,17 @@ obj_eval(JSContext *cx, JSObject *obj, u
 
     /*
      * Belt-and-braces: check that the lesser of eval's principals and the
      * caller's principals has access to scopeobj.
      */
     ok = js_CheckPrincipalsAccess(cx, scopeobj, principals,
                                   cx->runtime->atomState.evalAtom);
     if (ok)
-        ok = js_Execute(cx, scopeobj, script, caller, JSFRAME_EVAL, rval);
+        ok = js_Execute(cx, scopeobj, script, callerFrame, JSFRAME_EVAL, rval);
 
     script->u.nextToGC = *bucket;
     *bucket = script;
 #ifdef CHECK_SCRIPT_OWNER
     script->owner = NULL;
 #endif
 
 out: