/[jscoverage]/trunk/js/jsparse.cpp

Diff of /trunk/js/jsparse.cpp

Parent Directory | Revision Log | View Patch Patch

-revision 459 by siliconforks,
Tue Dec  9 03:37:47 2008 UTC
+revision 460 by siliconforks,
Sat Sep 26 23:15:22 2009 UTC
 Line 89
  /*
   * Asserts to verify assumptions behind pn_ macros.
   */
- JS_STATIC_ASSERT(offsetof(JSParseNode, pn_u.name.atom) ==
+ #define pn_offsetof(m)  offsetof(JSParseNode, m)
-                  offsetof(JSParseNode, pn_u.apair.atom));
- JS_STATIC_ASSERT(offsetof(JSParseNode, pn_u.name.slot) ==
+ JS_STATIC_ASSERT(pn_offsetof(pn_link) == pn_offsetof(dn_uses));
-                  offsetof(JSParseNode, pn_u.lexical.slot));
+ JS_STATIC_ASSERT(pn_offsetof(pn_u.name.atom) == pn_offsetof(pn_u.apair.atom));
+ #undef pn_offsetof
  /*
   * JS parsers, from lowest to highest precedence.
-Line 105
+Line 107
  JSParser(JSContext *cx, JSTokenStream *ts, JSTreeContext *tc);
  typedef JSParseNode *
+ JSVariablesParser(JSContext *cx, JSTokenStream *ts, JSTreeContext *tc,
+                   bool inLetHead);
+ typedef JSParseNode *
  JSMemberParser(JSContext *cx, JSTokenStream *ts, JSTreeContext *tc,
                 JSBool allowCallSyntax);
-Line 120
+Line 126
  static JSParser FunctionExpr;
  static JSParser Statements;
  static JSParser Statement;
- static JSParser Variables;
+ static JSVariablesParser Variables;
  static JSParser Expr;
  static JSParser AssignExpr;
  static JSParser CondExpr;
-Line 157
+Line 163
  static uint32 recyclednodes = 0;
  #endif
- JSBool
+ void
- js_InitParseContext(JSContext *cx, JSParseContext *pc, JSPrincipals *principals,
+ JSParseNode::become(JSParseNode *pn2)
-                     JSStackFrame *callerFrame,
+ {
-                     const jschar *base, size_t length,
+     JS_ASSERT(!pn_defn);
-                     FILE *fp, const char *filename, uintN lineno)
+     JS_ASSERT(!pn2->pn_defn);
- {
-     JS_ASSERT_IF(callerFrame, callerFrame->script);
+     JS_ASSERT(!pn_used);
+     if (pn2->pn_used) {
-     pc->tempPoolMark = JS_ARENA_MARK(&cx->tempPool);
+         JSParseNode **pnup = &pn2->pn_lexdef->dn_uses;
-     if (!js_InitTokenStream(cx, TS(pc), base, length, fp, filename, lineno)) {
+         while (*pnup != pn2)
-         JS_ARENA_RELEASE(&cx->tempPool, pc->tempPoolMark);
+             pnup = &(*pnup)->pn_link;
-         return JS_FALSE;
+         *pnup = this;
+         pn_link = pn2->pn_link;
+         pn_used = true;
+         pn2->pn_link = NULL;
+         pn2->pn_used = false;
+     }
+     /* If this is a function node fix up the pn_funbox->node back-pointer. */
+     if (PN_TYPE(pn2) == TOK_FUNCTION && pn2->pn_arity == PN_FUNC)
+         pn2->pn_funbox->node = this;
+     pn_type = pn2->pn_type;
+     pn_op = pn2->pn_op;
+     pn_arity = pn2->pn_arity;
+     pn_u = pn2->pn_u;
+     pn2->clear();
+ }
+ void
+ JSParseNode::clear()
+ {
+     pn_type = TOK_EOF;
+     pn_op = JSOP_NOP;
+     pn_used = pn_defn = false;
+     pn_arity = PN_NULLARY;
+ }
+ bool
+ JSCompiler::init(const jschar *base, size_t length,
+                  FILE *fp, const char *filename, uintN lineno)
+ {
+     JSContext *cx = context;
+     tempPoolMark = JS_ARENA_MARK(&cx->tempPool);
+     if (!js_InitTokenStream(cx, TS(this), base, length, fp, filename, lineno)) {
+         JS_ARENA_RELEASE(&cx->tempPool, tempPoolMark);
+         return false;
      }
-     if (principals)
-         JSPRINCIPALS_HOLD(cx, principals);
-     pc->principals = principals;
-     pc->callerFrame = callerFrame;
-     pc->nodeList = NULL;
-     pc->traceListHead = NULL;
      /* Root atoms and objects allocated for the parsed tree. */
      JS_KEEP_ATOMS(cx->runtime);
-     JS_PUSH_TEMP_ROOT_PARSE_CONTEXT(cx, pc, &pc->tempRoot);
+     JS_PUSH_TEMP_ROOT_COMPILER(cx, this, &tempRoot);
-     return JS_TRUE;
+     return true;
  }
- void
+ JSCompiler::~JSCompiler()
- js_FinishParseContext(JSContext *cx, JSParseContext *pc)
  {
-     if (pc->principals)
+     JSContext *cx = context;
-         JSPRINCIPALS_DROP(cx, pc->principals);
-     JS_ASSERT(pc->tempRoot.u.parseContext == pc);
+     if (principals)
-     JS_POP_TEMP_ROOT(cx, &pc->tempRoot);
+         JSPRINCIPALS_DROP(cx, principals);
+     JS_ASSERT(tempRoot.u.compiler == this);
+     JS_POP_TEMP_ROOT(cx, &tempRoot);
      JS_UNKEEP_ATOMS(cx->runtime);
-     js_CloseTokenStream(cx, TS(pc));
+     js_CloseTokenStream(cx, TS(this));
-     JS_ARENA_RELEASE(&cx->tempPool, pc->tempPoolMark);
+     JS_ARENA_RELEASE(&cx->tempPool, tempPoolMark);
  }
  void
- js_InitCompilePrincipals(JSContext *cx, JSParseContext *pc,
+ JSCompiler::setPrincipals(JSPrincipals *prin)
-                          JSPrincipals *principals)
  {
-     JS_ASSERT(!pc->principals);
+     JS_ASSERT(!principals);
-     if (principals)
+     if (prin)
-         JSPRINCIPALS_HOLD(cx, principals);
+         JSPRINCIPALS_HOLD(context, prin);
-     pc->principals = principals;
+     principals = prin;
  }
- JSParsedObjectBox *
+ JSObjectBox *
- js_NewParsedObjectBox(JSContext *cx, JSParseContext *pc, JSObject *obj)
+ JSCompiler::newObjectBox(JSObject *obj)
  {
-     JSParsedObjectBox *pob;
+     JS_ASSERT(obj);
      /*
       * We use JSContext.tempPool to allocate parsed objects and place them on
-Line 216
+Line 252
       * containing the entries must be alive until we are done with scanning,
       * parsing and code generation for the whole script or top-level function.
       */
-     JS_ASSERT(obj);
+     JSObjectBox *objbox;
-     JS_ARENA_ALLOCATE_TYPE(pob, JSParsedObjectBox, &cx->tempPool);
+     JS_ARENA_ALLOCATE_TYPE(objbox, JSObjectBox, &context->tempPool);
-     if (!pob) {
+     if (!objbox) {
-         js_ReportOutOfScriptQuota(cx);
+         js_ReportOutOfScriptQuota(context);
          return NULL;
      }
-     pob->traceLink = pc->traceListHead;
+     objbox->traceLink = traceListHead;
-     pob->emitLink = NULL;
+     traceListHead = objbox;
-     pob->object = obj;
+     objbox->emitLink = NULL;
-     pc->traceListHead = pob;
+     objbox->object = obj;
-     return pob;
+     return objbox;
  }
+ JSFunctionBox *
+ JSCompiler::newFunctionBox(JSObject *obj, JSParseNode *fn, JSTreeContext *tc)
+ {
+     JS_ASSERT(obj);
+     JS_ASSERT(HAS_FUNCTION_CLASS(obj));
+     /*
+      * We use JSContext.tempPool to allocate parsed objects and place them on
+      * a list in JSTokenStream to ensure GC safety. Thus the tempPool arenas
+      * containing the entries must be alive until we are done with scanning,
+      * parsing and code generation for the whole script or top-level function.
+      */
+     JSFunctionBox *funbox;
+     JS_ARENA_ALLOCATE_TYPE(funbox, JSFunctionBox, &context->tempPool);
+     if (!funbox) {
+         js_ReportOutOfScriptQuota(context);
+         return NULL;
+     }
+     funbox->traceLink = traceListHead;
+     traceListHead = funbox;
+     funbox->emitLink = NULL;
+     funbox->object = obj;
+     funbox->node = fn;
+     funbox->siblings = tc->functionList;
+     tc->functionList = funbox;
+     ++tc->compiler->functionCount;
+     funbox->kids = NULL;
+     funbox->parent = tc->funbox;
+     funbox->queued = false;
+     funbox->inLoop = false;
+     for (JSStmtInfo *stmt = tc->topStmt; stmt; stmt = stmt->down) {
+         if (STMT_IS_LOOP(stmt)) {
+             funbox->inLoop = true;
+             break;
+         }
+     }
+     funbox->level = tc->staticLevel;
+     funbox->tcflags = TCF_IN_FUNCTION | (tc->flags & TCF_COMPILE_N_GO);
+     return funbox;
+ }
  void
- js_TraceParseContext(JSTracer *trc, JSParseContext *pc)
+ JSCompiler::trace(JSTracer *trc)
  {
-     JSParsedObjectBox *pob;
+     JSObjectBox *objbox;
-     JS_ASSERT(pc->tempRoot.u.parseContext == pc);
+     JS_ASSERT(tempRoot.u.compiler == this);
-     pob = pc->traceListHead;
+     objbox = traceListHead;
-     while (pob) {
+     while (objbox) {
-         JS_CALL_OBJECT_TRACER(trc, pob->object, "parser.object");
+         JS_CALL_OBJECT_TRACER(trc, objbox->object, "parser.object");
-         pob = pob->traceLink;
+         objbox = objbox->traceLink;
      }
  }
+ static void
+ UnlinkFunctionBoxes(JSParseNode *pn, JSTreeContext *tc);
+ static void
+ UnlinkFunctionBox(JSParseNode *pn, JSTreeContext *tc)
+ {
+     JSFunctionBox *funbox = pn->pn_funbox;
+     if (funbox) {
+         JS_ASSERT(funbox->node == pn);
+         funbox->node = NULL;
+         JSFunctionBox **funboxp = &tc->functionList;
+         while (*funboxp) {
+             if (*funboxp == funbox) {
+                 *funboxp = funbox->siblings;
+                 break;
+             }
+             funboxp = &(*funboxp)->siblings;
+         }
+         uint16 oldflags = tc->flags;
+         JSFunctionBox *oldlist = tc->functionList;
+         tc->flags = (uint16) funbox->tcflags;
+         tc->functionList = funbox->kids;
+         UnlinkFunctionBoxes(pn->pn_body, tc);
+         funbox->kids = tc->functionList;
+         tc->flags = oldflags;
+         tc->functionList = oldlist;
+         // FIXME: use a funbox freelist (consolidate aleFreeList and nodeList).
+         pn->pn_funbox = NULL;
+     }
+ }
+ static void
+ UnlinkFunctionBoxes(JSParseNode *pn, JSTreeContext *tc)
+ {
+     if (pn) {
+         switch (pn->pn_arity) {
+           case PN_NULLARY:
+             return;
+           case PN_UNARY:
+             UnlinkFunctionBoxes(pn->pn_kid, tc);
+             return;
+           case PN_BINARY:
+             UnlinkFunctionBoxes(pn->pn_left, tc);
+             UnlinkFunctionBoxes(pn->pn_right, tc);
+             return;
+           case PN_TERNARY:
+             UnlinkFunctionBoxes(pn->pn_kid1, tc);
+             UnlinkFunctionBoxes(pn->pn_kid2, tc);
+             UnlinkFunctionBoxes(pn->pn_kid3, tc);
+             return;
+           case PN_LIST:
+             for (JSParseNode *pn2 = pn->pn_head; pn2; pn2 = pn2->pn_next)
+                 UnlinkFunctionBoxes(pn2, tc);
+             return;
+           case PN_FUNC:
+             UnlinkFunctionBox(pn, tc);
+             return;
+           case PN_NAME:
+             UnlinkFunctionBoxes(pn->maybeExpr(), tc);
+             return;
+           case PN_NAMESET:
+             UnlinkFunctionBoxes(pn->pn_tree, tc);
+         }
+     }
+ }
+ static void
+ RecycleFuncNameKids(JSParseNode *pn, JSTreeContext *tc);
  static JSParseNode *
  RecycleTree(JSParseNode *pn, JSTreeContext *tc)
  {
-     JSParseNode *next;
+     JSParseNode *next, **head;
      if (!pn)
          return NULL;
      /* Catch back-to-back dup recycles. */
-     JS_ASSERT(pn != tc->parseContext->nodeList);
+     JS_ASSERT(pn != tc->compiler->nodeList);
      next = pn->pn_next;
-     pn->pn_next = tc->parseContext->nodeList;
+     if (pn->pn_used || pn->pn_defn) {
-     tc->parseContext->nodeList = pn;
+         /*
+          * JSAtomLists own definition nodes along with their used-node chains.
+          * Defer recycling such nodes until we unwind to top level to avoid
+          * linkage overhead or (alternatively) unlinking runtime complexity.
+          * Yes, this means dead code can contribute to static analysis results!
+          *
+          * Do recycle kids here, since they are no longer needed.
+          */
+         pn->pn_next = NULL;
+         RecycleFuncNameKids(pn, tc);
+     } else {
+         UnlinkFunctionBoxes(pn, tc);
+         head = &tc->compiler->nodeList;
+         pn->pn_next = *head;
+         *head = pn;
  #ifdef METER_PARSENODES
-     recyclednodes++;
+         recyclednodes++;
  #endif
+     }
      return next;
  }
+ static void
+ RecycleFuncNameKids(JSParseNode *pn, JSTreeContext *tc)
+ {
+     switch (pn->pn_arity) {
+       case PN_FUNC:
+         UnlinkFunctionBox(pn, tc);
+         /* FALL THROUGH */
+       case PN_NAME:
+         /*
+          * Only a definition node might have a non-null strong pn_expr link
+          * to recycle, but we test !pn_used to handle PN_FUNC fall through.
+          * Every node with the pn_used flag set has a non-null pn_lexdef
+          * weak reference to its definition node.
+          */
+         if (!pn->pn_used && pn->pn_expr) {
+             RecycleTree(pn->pn_expr, tc);
+             pn->pn_expr = NULL;
+         }
+         break;
+       default:
+         JS_ASSERT(PN_TYPE(pn) == TOK_FUNCTION);
+     }
+ }
  static JSParseNode *
- NewOrRecycledNode(JSContext *cx, JSTreeContext *tc)
+ NewOrRecycledNode(JSTreeContext *tc)
  {
-     JSParseNode *pn;
+     JSParseNode *pn, *pn2;
-     pn = tc->parseContext->nodeList;
+     pn = tc->compiler->nodeList;
      if (!pn) {
+         JSContext *cx = tc->compiler->context;
          JS_ARENA_ALLOCATE_TYPE(pn, JSParseNode, &cx->tempPool);
          if (!pn)
              js_ReportOutOfScriptQuota(cx);
      } else {
-         tc->parseContext->nodeList = pn->pn_next;
+         tc->compiler->nodeList = pn->pn_next;
          /* Recycle immediate descendents only, to save work and working set. */
          switch (pn->pn_arity) {
-Line 281
+Line 473
              RecycleTree(pn->pn_body, tc);
              break;
            case PN_LIST:
-             if (pn->pn_head) {
+             pn2 = pn->pn_head;
-                 /* XXX check for dup recycles in the list */
+             if (pn2) {
-                 *pn->pn_tail = tc->parseContext->nodeList;
+                 while (pn2 && !pn2->pn_used && !pn2->pn_defn)
-                 tc->parseContext->nodeList = pn->pn_head;
+                     pn2 = pn2->pn_next;
+                 if (pn2) {
+                     pn2 = pn->pn_head;
+                     do {
+                         pn2 = RecycleTree(pn2, tc);
+                     } while (pn2);
+                 } else {
+                     *pn->pn_tail = tc->compiler->nodeList;
+                     tc->compiler->nodeList = pn->pn_head;
  #ifdef METER_PARSENODES
-                 recyclednodes += pn->pn_count;
+                     recyclednodes += pn->pn_count;
  #endif
+                     break;
+                 }
              }
              break;
            case PN_TERNARY:
-Line 304
+Line 506
              RecycleTree(pn->pn_kid, tc);
              break;
            case PN_NAME:
-             RecycleTree(pn->pn_expr, tc);
+             if (!pn->pn_used)
+                 RecycleTree(pn->pn_expr, tc);
              break;
            case PN_NULLARY:
              break;
-Line 316
+Line 519
          if (parsenodes - recyclednodes > maxparsenodes)
              maxparsenodes = parsenodes - recyclednodes;
  #endif
+         pn->pn_used = pn->pn_defn = false;
          memset(&pn->pn_u, 0, sizeof pn->pn_u);
          pn->pn_next = NULL;
      }
      return pn;
  }
+ static inline void
+ InitParseNode(JSParseNode *pn, JSTokenType type, JSOp op, JSParseNodeArity arity)
+ {
+     pn->pn_type = type;
+     pn->pn_op = op;
+     pn->pn_arity = arity;
+     JS_ASSERT(!pn->pn_used);
+     JS_ASSERT(!pn->pn_defn);
+     pn->pn_next = pn->pn_link = NULL;
+ }
  /*
-  * Allocate a JSParseNode from cx's temporary arena.
+  * Allocate a JSParseNode from tc's node freelist or, failing that, from cx's
+  * temporary arena.
   */
  static JSParseNode *
- NewParseNode(JSContext *cx, JSTokenStream *ts, JSParseNodeArity arity,
+ NewParseNode(JSParseNodeArity arity, JSTreeContext *tc)
-              JSTreeContext *tc)
  {
      JSParseNode *pn;
      JSToken *tp;
-     pn = NewOrRecycledNode(cx, tc);
+     pn = NewOrRecycledNode(tc);
      if (!pn)
          return NULL;
-     tp = &CURRENT_TOKEN(ts);
+     tp = &CURRENT_TOKEN(&tc->compiler->tokenStream);
-     pn->pn_type = tp->type;
+     InitParseNode(pn, tp->type, JSOP_NOP, arity);
      pn->pn_pos = tp->pos;
-     pn->pn_op = JSOP_NOP;
+     return pn;
-     pn->pn_arity = arity;
+ }
+ static inline void
+ InitNameNodeCommon(JSParseNode *pn, JSTreeContext *tc)
+ {
+     pn->pn_expr = NULL;
+     pn->pn_cookie = FREE_UPVAR_COOKIE;
+     pn->pn_dflags = tc->atTopLevel() ? PND_TOPLEVEL : 0;
+     if (!tc->topStmt || tc->topStmt->type == STMT_BLOCK)
+         pn->pn_dflags |= PND_BLOCKCHILD;
+     pn->pn_blockid = tc->blockid();
+ }
+ static JSParseNode *
+ NewNameNode(JSContext *cx, JSTokenStream *ts, JSAtom *atom, JSTreeContext *tc)
+ {
+     JSParseNode *pn;
+     pn = NewParseNode(PN_NAME, tc);
+     if (pn) {
+         pn->pn_atom = atom;
+         InitNameNodeCommon(pn, tc);
+     }
      return pn;
  }
  static JSParseNode *
- NewBinary(JSContext *cx, JSTokenType tt,
+ NewBinary(JSTokenType tt, JSOp op, JSParseNode *left, JSParseNode *right,
-           JSOp op, JSParseNode *left, JSParseNode *right,
            JSTreeContext *tc)
  {
      JSParseNode *pn, *pn1, *pn2;
-Line 357
+Line 593
       * Flatten a left-associative (left-heavy) tree of a given operator into
       * a list, to reduce js_FoldConstants and js_EmitTree recursion.
       */
-     if (left->pn_type == tt &&
+     if (PN_TYPE(left) == tt &&
-         left->pn_op == op &&
+         PN_OP(left) == op &&
          (js_CodeSpec[op].format & JOF_LEFTASSOC)) {
          if (left->pn_arity != PN_LIST) {
              pn1 = left->pn_left, pn2 = left->pn_right;
              left->pn_arity = PN_LIST;
-             PN_INIT_LIST_1(left, pn1);
+             left->initList(pn1);
-             PN_APPEND(left, pn2);
+             left->append(pn2);
              if (tt == TOK_PLUS) {
                  if (pn1->pn_type == TOK_STRING)
-                     left->pn_extra |= PNX_STRCAT;
+                     left->pn_xflags |= PNX_STRCAT;
                  else if (pn1->pn_type != TOK_NUMBER)
-                     left->pn_extra |= PNX_CANTFOLD;
+                     left->pn_xflags |= PNX_CANTFOLD;
                  if (pn2->pn_type == TOK_STRING)
-                     left->pn_extra |= PNX_STRCAT;
+                     left->pn_xflags |= PNX_STRCAT;
                  else if (pn2->pn_type != TOK_NUMBER)
-                     left->pn_extra |= PNX_CANTFOLD;
+                     left->pn_xflags |= PNX_CANTFOLD;
              }
          }
-         PN_APPEND(left, right);
+         left->append(right);
          left->pn_pos.end = right->pn_pos.end;
          if (tt == TOK_PLUS) {
              if (right->pn_type == TOK_STRING)
-                 left->pn_extra |= PNX_STRCAT;
+                 left->pn_xflags |= PNX_STRCAT;
              else if (right->pn_type != TOK_NUMBER)
-                 left->pn_extra |= PNX_CANTFOLD;
+                 left->pn_xflags |= PNX_CANTFOLD;
          }
          return left;
      }
-Line 403
+Line 639
          return left;
      }
-     pn = NewOrRecycledNode(cx, tc);
+     pn = NewOrRecycledNode(tc);
      if (!pn)
          return NULL;
-     pn->pn_type = tt;
+     InitParseNode(pn, tt, op, PN_BINARY);
      pn->pn_pos.begin = left->pn_pos.begin;
      pn->pn_pos.end = right->pn_pos.end;
-     pn->pn_op = op;
-     pn->pn_arity = PN_BINARY;
      pn->pn_left = left;
      pn->pn_right = right;
      return pn;
-Line 460
+Line 694
  }
  #endif
+ static bool
+ GenerateBlockId(JSTreeContext *tc, uint32& blockid)
+ {
+     if (tc->blockidGen == JS_BIT(20)) {
+         JS_ReportErrorNumber(tc->compiler->context, js_GetErrorMessage, NULL,
+                              JSMSG_NEED_DIET, "program");
+         return false;
+     }
+     blockid = tc->blockidGen++;
+     return true;
+ }
+ static bool
+ GenerateBlockIdForStmtNode(JSParseNode *pn, JSTreeContext *tc)
+ {
+     JS_ASSERT(tc->topStmt);
+     JS_ASSERT(STMT_MAYBE_SCOPE(tc->topStmt));
+     JS_ASSERT(pn->pn_type == TOK_LC || pn->pn_type == TOK_LEXICALSCOPE);
+     if (!GenerateBlockId(tc, tc->topStmt->blockid))
+         return false;
+     pn->pn_blockid = tc->topStmt->blockid;
+     return true;
+ }
  /*
   * Parse a top-level JS script.
   */
  JSParseNode *
- js_ParseScript(JSContext *cx, JSObject *chain, JSParseContext *pc)
+ JSCompiler::parse(JSObject *chain)
  {
-     JSTreeContext tc;
-     JSParseNode *pn;
      /*
       * Protect atoms from being collected by a GC activation, which might
       * - nest on this thread due to out of memory (the so-called "last ditch"
-Line 477
+Line 732
       *   an object lock before it finishes generating bytecode into a script
       *   protected from the GC by a root or a stack frame reference.
       */
-     TREE_CONTEXT_INIT(&tc, pc);
+     JSTreeContext tc(this);
-     tc.u.scopeChain = chain;
+     tc.scopeChain = chain;
-     pn = Statements(cx, TS(pc), &tc);
+     if (!GenerateBlockId(&tc, tc.bodyid))
+         return NULL;
+     JSParseNode *pn = Statements(context, TS(this), &tc);
      if (pn) {
-         if (!js_MatchToken(cx, TS(pc), TOK_EOF)) {
+         if (!js_MatchToken(context, TS(this), TOK_EOF)) {
-             js_ReportCompileErrorNumber(cx, TS(pc), NULL, JSREPORT_ERROR,
+             js_ReportCompileErrorNumber(context, TS(this), NULL, JSREPORT_ERROR,
                                          JSMSG_SYNTAX_ERROR);
              pn = NULL;
          } else {
-             pn->pn_type = TOK_LC;
+             if (!js_FoldConstants(context, pn, &tc))
-             if (!js_FoldConstants(cx, pn, &tc))
                  pn = NULL;
          }
      }
-     TREE_CONTEXT_FINISH(cx, &tc);
      return pn;
  }
+ JS_STATIC_ASSERT(FREE_STATIC_LEVEL == JS_BITMASK(JSFB_LEVEL_BITS));
+ static inline bool
+ SetStaticLevel(JSTreeContext *tc, uintN staticLevel)
+ {
+     /*
+      * Reserve FREE_STATIC_LEVEL (0xffff) in order to reserve FREE_UPVAR_COOKIE
+      * (0xffffffff) and other cookies with that level.
+      *
+      * This is a lot simpler than error-checking every MAKE_UPVAR_COOKIE, and
+      * practically speaking it leaves more than enough room for upvars. In fact
+      * we might want to split cookie fields giving fewer bits for skip and more
+      * for slot, but only based on evidence.
+      */
+     if (staticLevel >= FREE_STATIC_LEVEL) {
+         JS_ReportErrorNumber(tc->compiler->context, js_GetErrorMessage, NULL,
+                              JSMSG_TOO_DEEP, js_function_str);
+         return false;
+     }
+     tc->staticLevel = staticLevel;
+     return true;
+ }
  /*
   * Compile a top-level script.
   */
- extern JSScript *
+ JSScript *
- js_CompileScript(JSContext *cx, JSObject *scopeChain, JSStackFrame *callerFrame,
+ JSCompiler::compileScript(JSContext *cx, JSObject *scopeChain, JSStackFrame *callerFrame,
-                  JSPrincipals *principals, uint32 tcflags,
+                           JSPrincipals *principals, uint32 tcflags,
-                  const jschar *chars, size_t length,
+                           const jschar *chars, size_t length,
-                  FILE *file, const char *filename, uintN lineno)
+                           FILE *file, const char *filename, uintN lineno,
+                           JSString *source /* = NULL */)
  {
-     JSParseContext pc;
+     JSCompiler jsc(cx, principals, callerFrame);
      JSArenaPool codePool, notePool;
-     JSCodeGenerator cg;
      JSTokenType tt;
      JSParseNode *pn;
      uint32 scriptGlobals;
-Line 517
+Line 795
  #endif
      JS_ASSERT(!(tcflags & ~(TCF_COMPILE_N_GO | TCF_NO_SCRIPT_RVAL |
-                             TCF_STATIC_DEPTH_MASK)));
+                             TCF_STATIC_LEVEL_MASK)));
      /*
       * The scripted callerFrame can only be given for compile-and-go scripts
-      * and non-zero static depth requires callerFrame.
+      * and non-zero static level requires callerFrame.
       */
      JS_ASSERT_IF(callerFrame, tcflags & TCF_COMPILE_N_GO);
-     JS_ASSERT_IF(TCF_GET_STATIC_DEPTH(tcflags) != 0, callerFrame);
+     JS_ASSERT_IF(TCF_GET_STATIC_LEVEL(tcflags) != 0, callerFrame);
-     if (!js_InitParseContext(cx, &pc, principals, callerFrame, chars, length,
+     if (!jsc.init(chars, length, file, filename, lineno))
-                              file, filename, lineno)) {
          return NULL;
-     }
      JS_INIT_ARENA_POOL(&codePool, "code", 1024, sizeof(jsbytecode),
                         &cx->scriptStackQuota);
      JS_INIT_ARENA_POOL(&notePool, "note", 1024, sizeof(jssrcnote),
                         &cx->scriptStackQuota);
-     js_InitCodeGenerator(cx, &cg, &pc, &codePool, &notePool,
-                          pc.tokenStream.lineno);
+     JSCodeGenerator cg(&jsc, &codePool, &notePool, jsc.tokenStream.lineno);
      MUST_FLOW_THROUGH("out");
-     cg.treeContext.flags |= (uint16) tcflags;
-     cg.treeContext.u.scopeChain = scopeChain;
-     cg.staticDepth = TCF_GET_STATIC_DEPTH(tcflags);
-     if ((tcflags & TCF_COMPILE_N_GO) && callerFrame && callerFrame->fun) {
+     /* Null script early in case of error, to reduce our code footprint. */
-         /*
+     script = NULL;
-          * An eval script in a caller frame needs to have its enclosing function
-          * captured in case it uses an upvar reference, and someone wishes to
+     cg.flags |= uint16(tcflags);
-          * decompile it while running.
+     cg.scopeChain = scopeChain;
-          */
+     if (!SetStaticLevel(&cg, TCF_GET_STATIC_LEVEL(tcflags)))
-         JSParsedObjectBox *pob = js_NewParsedObjectBox(cx, &pc, callerFrame->callee);
+         goto out;
-         pob->emitLink = cg.objectList.lastPob;
-         cg.objectList.lastPob = pob;
+     /*
-         cg.objectList.length++;
+      * If funbox is non-null after we create the new script, callerFrame->fun
+      * was saved in the 0th object table entry.
+      */
+     JSObjectBox *funbox;
+     funbox = NULL;
+     if (tcflags & TCF_COMPILE_N_GO) {
+         if (source) {
+             /*
+              * Save eval program source in script->atomMap.vector[0] for the
+              * eval cache (see obj_eval in jsobj.cpp).
+              */
+             JSAtom *atom = js_AtomizeString(cx, source, 0);
+             if (!atom || !cg.atomList.add(&jsc, atom))
+                 goto out;
+         }
+         if (callerFrame && callerFrame->fun) {
+             /*
+              * An eval script in a caller frame needs to have its enclosing
+              * function captured in case it refers to an upvar, and someone
+              * wishes to decompile it while it's running.
+              */
+             funbox = jsc.newObjectBox(FUN_OBJECT(callerFrame->fun));
+             if (!funbox)
+                 goto out;
+             funbox->emitLink = cg.objectList.lastbox;
+             cg.objectList.lastbox = funbox;
+             cg.objectList.length++;
+         }
      }
-     /* Inline Statements() to emit as we go to save space. */
+     /*
+      * Inline Statements to emit as we go to save AST space. We must generate
+      * our script-body blockid since we aren't calling Statements.
+      */
+     uint32 bodyid;
+     if (!GenerateBlockId(&cg, bodyid))
+         goto out;
+     cg.bodyid = bodyid;
+ #if JS_HAS_XML_SUPPORT
+     pn = NULL;
+     bool onlyXML;
+     onlyXML = true;
+ #endif
      for (;;) {
-         pc.tokenStream.flags |= TSF_OPERAND;
+         jsc.tokenStream.flags |= TSF_OPERAND;
-         tt = js_PeekToken(cx, &pc.tokenStream);
+         tt = js_PeekToken(cx, &jsc.tokenStream);
-         pc.tokenStream.flags &= ~TSF_OPERAND;
+         jsc.tokenStream.flags &= ~TSF_OPERAND;
          if (tt <= TOK_EOF) {
              if (tt == TOK_EOF)
                  break;
              JS_ASSERT(tt == TOK_ERROR);
-             script = NULL;
              goto out;
          }
-         pn = Statement(cx, &pc.tokenStream, &cg.treeContext);
+         pn = Statement(cx, &jsc.tokenStream, &cg);
-         if (!pn) {
+         if (!pn)
-             script = NULL;
+             goto out;
+         JS_ASSERT(!cg.blockNode);
+         if (!js_FoldConstants(cx, pn, &cg))
              goto out;
+         if (cg.functionList) {
+             if (!jsc.analyzeFunctions(cg.functionList, cg.flags))
+                 goto out;
+             cg.functionList = NULL;
          }
-         JS_ASSERT(!cg.treeContext.blockNode);
-         if (!js_FoldConstants(cx, pn, &cg.treeContext) ||
+         if (!js_EmitTree(cx, &cg, pn))
-             !js_EmitTree(cx, &cg, pn)) {
-             script = NULL;
              goto out;
+ #if JS_HAS_XML_SUPPORT
+         if (PN_TYPE(pn) != TOK_SEMI ||
+             !pn->pn_kid ||
+             !TREE_TYPE_IS_XML(PN_TYPE(pn->pn_kid))) {
+             onlyXML = false;
          }
-         RecycleTree(pn, &cg.treeContext);
+ #endif
+         RecycleTree(pn, &cg);
      }
+ #if JS_HAS_XML_SUPPORT
      /*
-      * Global variables and regexps shares the index space with locals. Due to
+      * Prevent XML data theft via <script src="http://victim.com/foo.xml">.
+      * For background, see:
+      *
+      * https://bugzilla.mozilla.org/show_bug.cgi?id=336551
+      */
+     if (pn && onlyXML && (tcflags & TCF_NO_SCRIPT_RVAL)) {
+         js_ReportCompileErrorNumber(cx, &jsc.tokenStream, NULL, JSREPORT_ERROR,
+                                     JSMSG_XML_WHOLE_PROGRAM);
+         goto out;
+     }
+ #endif
+     /*
+      * Global variables and regexps share the index space with locals. Due to
       * incremental code generation we need to patch the bytecode to adjust the
       * local references to skip the globals.
       */
-     scriptGlobals = cg.treeContext.ngvars + cg.regexpList.length;
+     scriptGlobals = cg.ngvars + cg.regexpList.length;
      if (scriptGlobals != 0) {
          jsbytecode *code, *end;
          JSOp op;
-Line 635
+Line 975
       * Nowadays the threaded interpreter needs a stop instruction, so we
       * do have to emit that here.
       */
-     if (js_Emit1(cx, &cg, JSOP_STOP) < 0) {
+     if (js_Emit1(cx, &cg, JSOP_STOP) < 0)
-         script = NULL;
          goto out;
-     }
  #ifdef METER_PARSENODES
      printf("Code-gen growth: %d (%u bytecodes, %u srcnotes)\n",
-            (char *)sbrk(0) - (char *)before, CG_OFFSET(cg), cg->noteCount);
+            (char *)sbrk(0) - (char *)before, CG_OFFSET(&cg), cg.noteCount);
  #endif
  #ifdef JS_ARENAMETER
      JS_DumpArenaStats(stdout);
  #endif
      script = js_NewScriptFromCG(cx, &cg);
+     if (script && funbox)
+         script->flags |= JSSF_SAVED_CALLER_FUN;
  #ifdef JS_SCOPE_DEPTH_METER
      if (script) {
-Line 659
+Line 999
  #endif
    out:
-     js_FinishCodeGenerator(cx, &cg);
      JS_FinishArenaPool(&codePool);
      JS_FinishArenaPool(&notePool);
-     js_FinishParseContext(cx, &pc);
      return script;
    too_many_slots:
-     js_ReportCompileErrorNumber(cx, &pc.tokenStream, NULL,
+     js_ReportCompileErrorNumber(cx, &jsc.tokenStream, NULL,
                                  JSREPORT_ERROR, JSMSG_TOO_MANY_LOCALS);
      script = NULL;
      goto out;
-Line 692
+Line 1030
        case TOK_LC:
          if (!pn->pn_head)
              return ENDS_IN_OTHER;
-         return HasFinalReturn(PN_LAST(pn));
+         return HasFinalReturn(pn->last());
        case TOK_IF:
          if (!pn->pn_kid3)
-Line 733
+Line 1071
          hasDefault = ENDS_IN_OTHER;
          pn2 = pn->pn_right;
          if (pn2->pn_type == TOK_LEXICALSCOPE)
-             pn2 = pn2->pn_expr;
+             pn2 = pn2->expr();
          for (pn2 = pn2->pn_head; rv && pn2; pn2 = pn2->pn_next) {
              if (pn2->pn_type == TOK_DEFAULT)
                  hasDefault = ENDS_IN_RETURN;
              pn3 = pn2->pn_right;
              JS_ASSERT(pn3->pn_type == TOK_LC);
              if (pn3->pn_head) {
-                 rv2 = HasFinalReturn(PN_LAST(pn3));
+                 rv2 = HasFinalReturn(pn3->last());
                  if (rv2 == ENDS_IN_OTHER && pn2->pn_next)
                      /* Falling through to next case or default. */;
                  else
-Line 762
+Line 1100
        case TOK_COLON:
        case TOK_LEXICALSCOPE:
-         return HasFinalReturn(pn->pn_expr);
+         return HasFinalReturn(pn->expr());
        case TOK_THROW:
          return ENDS_IN_RETURN;
-Line 806
+Line 1144
      const char *name;
      JS_ASSERT(tc->flags & TCF_IN_FUNCTION);
-     if (tc->u.fun->atom) {
+     if (tc->fun->atom) {
-         name = js_AtomToPrintableString(cx, tc->u.fun->atom);
+         name = js_AtomToPrintableString(cx, tc->fun->atom);
      } else {
          errnum = anonerrnum;
          name = NULL;
      }
-     return js_ReportCompileErrorNumber(cx, TS(tc->parseContext), NULL, flags,
+     return js_ReportCompileErrorNumber(cx, TS(tc->compiler), NULL, flags,
                                         errnum, name);
  }
-Line 849
+Line 1187
      if (CURRENT_TOKEN(ts).type == TOK_LC) {
          pn = Statements(cx, ts, tc);
      } else {
-         pn = NewParseNode(cx, ts, PN_UNARY, tc);
+         pn = NewParseNode(PN_UNARY, tc);
          if (pn) {
              pn->pn_kid = AssignExpr(cx, ts, tc);
              if (!pn->pn_kid) {
-Line 873
+Line 1211
  #endif
      if (pn) {
+         JS_ASSERT(!(tc->topStmt->flags & SIF_SCOPE));
          js_PopStatement(tc);
          pn->pn_pos.begin.lineno = firstLine;
-Line 883
+Line 1222
          }
      }
-     tc->flags = oldflags | (tc->flags & (TCF_FUN_FLAGS | TCF_HAS_DEFXMLNS));
+     tc->flags = oldflags | (tc->flags & TCF_FUN_FLAGS);
      return pn;
  }
+ static JSAtomListElement *
+ MakePlaceholder(JSParseNode *pn, JSTreeContext *tc)
+ {
+     JSAtomListElement *ale = tc->lexdeps.add(tc->compiler, pn->pn_atom);
+     if (!ale)
+         return NULL;
+     JSDefinition *dn = (JSDefinition *)
+         NewNameNode(tc->compiler->context, TS(tc->compiler), pn->pn_atom, tc);
+     if (!dn)
+         return NULL;
+     ALE_SET_DEFN(ale, dn);
+     dn->pn_defn = true;
+     dn->pn_dflags |= PND_PLACEHOLDER;
+     return ale;
+ }
+ static bool
+ Define(JSParseNode *pn, JSAtom *atom, JSTreeContext *tc, bool let = false)
+ {
+     JS_ASSERT(!pn->pn_used);
+     JS_ASSERT_IF(pn->pn_defn, pn->isPlaceholder());
+     JSHashEntry **hep;
+     JSAtomListElement *ale = NULL;
+     JSAtomList *list = NULL;
+     if (let)
+         ale = (list = &tc->decls)->rawLookup(atom, hep);
+     if (!ale)
+         ale = (list = &tc->lexdeps)->rawLookup(atom, hep);
+     if (ale) {
+         JSDefinition *dn = ALE_DEFN(ale);
+         if (dn != pn) {
+             JSParseNode **pnup = &dn->dn_uses;
+             JSParseNode *pnu;
+             uintN start = let ? pn->pn_blockid : tc->bodyid;
+             while ((pnu = *pnup) != NULL && pnu->pn_blockid >= start) {
+                 JS_ASSERT(pnu->pn_used);
+                 pnu->pn_lexdef = (JSDefinition *) pn;
+                 pn->pn_dflags |= pnu->pn_dflags & (PND_ASSIGNED | PND_FUNARG);
+                 pnup = &pnu->pn_link;
+             }
+             if (pnu != dn->dn_uses) {
+                 *pnup = pn->dn_uses;
+                 pn->dn_uses = dn->dn_uses;
+                 dn->dn_uses = pnu;
+                 if ((!pnu || pnu->pn_blockid < tc->bodyid) && list != &tc->decls)
+                     list->rawRemove(tc->compiler, ale, hep);
+             }
+         }
+     }
+     ale = tc->decls.add(tc->compiler, atom, let ? JSAtomList::SHADOW : JSAtomList::UNIQUE);
+     if (!ale)
+         return false;
+     ALE_SET_DEFN(ale, pn);
+     pn->pn_defn = true;
+     pn->pn_dflags &= ~PND_PLACEHOLDER;
+     return true;
+ }
+ static void
+ LinkUseToDef(JSParseNode *pn, JSDefinition *dn, JSTreeContext *tc)
+ {
+     JS_ASSERT(!pn->pn_used);
+     JS_ASSERT(!pn->pn_defn);
+     JS_ASSERT(pn != dn->dn_uses);
+     pn->pn_link = dn->dn_uses;
+     dn->dn_uses = pn;
+     pn->pn_used = true;
+     pn->pn_lexdef = dn;
+ }
+ static void
+ ForgetUse(JSParseNode *pn)
+ {
+     if (!pn->pn_used) {
+         JS_ASSERT(!pn->pn_defn);
+         return;
+     }
+     JSParseNode **pnup = &pn->lexdef()->dn_uses;
+     JSParseNode *pnu;
+     while ((pnu = *pnup) != pn)
+         pnup = &pnu->pn_link;
+     *pnup = pn->pn_link;
+     pn->pn_used = false;
+ }
+ static JSParseNode *
+ MakeAssignment(JSParseNode *pn, JSParseNode *rhs, JSTreeContext *tc)
+ {
+     JSParseNode *lhs = NewOrRecycledNode(tc);
+     if (!lhs)
+         return NULL;
+     *lhs = *pn;
+     if (pn->pn_used) {
+         JSDefinition *dn = pn->pn_lexdef;
+         JSParseNode **pnup = &dn->dn_uses;
+         while (*pnup != pn)
+             pnup = &(*pnup)->pn_link;
+         *pnup = lhs;
+         lhs->pn_link = pn->pn_link;
+         pn->pn_link = NULL;
+     }
+     pn->pn_type = TOK_ASSIGN;
+     pn->pn_op = JSOP_NOP;
+     pn->pn_arity = PN_BINARY;
+     pn->pn_used = pn->pn_defn = false;
+     pn->pn_left = lhs;
+     pn->pn_right = rhs;
+     return lhs;
+ }
+ static JSParseNode *
+ MakeDefIntoUse(JSDefinition *dn, JSParseNode *pn, JSAtom *atom, JSTreeContext *tc)
+ {
+     /*
+      * If dn is var, const, or let, and it has an initializer, then we must
+      * rewrite it to be an assignment node, whose freshly allocated left-hand
+      * side becomes a use of pn.
+      */
+     if (dn->isBindingForm()) {
+         JSParseNode *rhs = dn->expr();
+         if (rhs) {
+             JSParseNode *lhs = MakeAssignment(dn, rhs, tc);
+             if (!lhs)
+                 return NULL;
+             //pn->dn_uses = lhs;
+             dn = (JSDefinition *) lhs;
+         }
+         dn->pn_op = (js_CodeSpec[dn->pn_op].format & JOF_SET) ? JSOP_SETNAME : JSOP_NAME;
+     } else if (dn->kind() == JSDefinition::FUNCTION) {
+         JS_ASSERT(dn->isTopLevel());
+         JS_ASSERT(dn->pn_op == JSOP_NOP);
+         dn->pn_u.name.funbox2 = dn->pn_funbox;
+         dn->pn_u.name.expr2 = dn->pn_expr;
+         dn->pn_type = TOK_NAME;
+         dn->pn_arity = PN_NAME;
+         dn->pn_atom = atom;
+     }
+     /* Now make dn no longer a definition, rather a use of pn. */
+     JS_ASSERT(dn->pn_type == TOK_NAME);
+     JS_ASSERT(dn->pn_arity == PN_NAME);
+     JS_ASSERT(dn->pn_atom == atom);
+     for (JSParseNode *pnu = dn->dn_uses; pnu; pnu = pnu->pn_link) {
+         JS_ASSERT(pnu->pn_used);
+         JS_ASSERT(!pnu->pn_defn);
+         pnu->pn_lexdef = (JSDefinition *) pn;
+         pn->pn_dflags |= pnu->pn_dflags & (PND_ASSIGNED | PND_FUNARG);
+     }
+     pn->pn_dflags |= dn->pn_dflags & (PND_ASSIGNED | PND_FUNARG);
+     pn->dn_uses = dn;
+     dn->pn_defn = false;
+     dn->pn_used = true;
+     dn->pn_lexdef = (JSDefinition *) pn;
+     dn->pn_cookie = FREE_UPVAR_COOKIE;
+     dn->pn_dflags &= ~PND_BOUND;
+     return dn;
+ }
+ static bool
+ DefineArg(JSParseNode *pn, JSAtom *atom, uintN i, JSTreeContext *tc)
+ {
+     JSParseNode *argpn, *argsbody;
+     /* Flag tc so we don't have to lookup arguments on every use. */
+     if (atom == tc->compiler->context->runtime->atomState.argumentsAtom)
+         tc->flags |= TCF_FUN_PARAM_ARGUMENTS;
+     /*
+      * Make an argument definition node, distinguished by being in tc->decls
+      * but having TOK_NAME type and JSOP_NOP op. Insert it in a TOK_ARGSBODY
+      * list node returned via pn->pn_body.
+      */
+     argpn = NewNameNode(tc->compiler->context, TS(tc->compiler), atom, tc);
+     if (!argpn)
+         return false;
+     JS_ASSERT(PN_TYPE(argpn) == TOK_NAME && PN_OP(argpn) == JSOP_NOP);
+     /* Arguments are initialized by definition. */
+     argpn->pn_dflags |= PND_INITIALIZED;
+     if (!Define(argpn, atom, tc))
+         return false;
+     argsbody = pn->pn_body;
+     if (!argsbody) {
+         argsbody = NewParseNode(PN_LIST, tc);
+         if (!argsbody)
+             return false;
+         argsbody->pn_type = TOK_ARGSBODY;
+         argsbody->pn_op = JSOP_NOP;
+         argsbody->makeEmpty();
+         pn->pn_body = argsbody;
+     }
+     argsbody->append(argpn);
+     argpn->pn_op = JSOP_GETARG;
+     argpn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, i);
+     argpn->pn_dflags |= PND_BOUND;
+     return true;
+ }
  /*
   * Compile a JS function body, which might appear as the value of an event
   * handler attribute in an HTML <INPUT> tag.
   */
- JSBool
+ bool
- js_CompileFunctionBody(JSContext *cx, JSFunction *fun, JSPrincipals *principals,
+ JSCompiler::compileFunctionBody(JSContext *cx, JSFunction *fun, JSPrincipals *principals,
-                        const jschar *chars, size_t length,
+                                 const jschar *chars, size_t length,
-                        const char *filename, uintN lineno)
+                                 const char *filename, uintN lineno)
  {
-     JSParseContext pc;
+     JSCompiler jsc(cx, principals);
-     JSArenaPool codePool, notePool;
-     JSCodeGenerator funcg;
-     JSParseNode *pn;
-     if (!js_InitParseContext(cx, &pc, principals, NULL, chars, length, NULL,
+     if (!jsc.init(chars, length, NULL, filename, lineno))
-                              filename, lineno)) {
+         return false;
-         return JS_FALSE;
-     }
-     /* No early return from this point until js_FinishParseContext call. */
+     /* No early return from after here until the js_FinishArenaPool calls. */
+     JSArenaPool codePool, notePool;
      JS_INIT_ARENA_POOL(&codePool, "code", 1024, sizeof(jsbytecode),
                         &cx->scriptStackQuota);
      JS_INIT_ARENA_POOL(&notePool, "note", 1024, sizeof(jssrcnote),
                         &cx->scriptStackQuota);
-     js_InitCodeGenerator(cx, &funcg, &pc, &codePool, &notePool,
-                          pc.tokenStream.lineno);
+     JSCodeGenerator funcg(&jsc, &codePool, &notePool, jsc.tokenStream.lineno);
-     funcg.treeContext.flags |= TCF_IN_FUNCTION;
+     funcg.flags |= TCF_IN_FUNCTION;
-     funcg.treeContext.u.fun = fun;
+     funcg.fun = fun;
+     if (!GenerateBlockId(&funcg, funcg.bodyid))
+         return NULL;
+     /* FIXME: make Function format the source for a function definition. */
+     jsc.tokenStream.tokens[0].type = TOK_NAME;
+     JSParseNode *fn = NewParseNode(PN_FUNC, &funcg);
+     if (fn) {
+         fn->pn_body = NULL;
+         fn->pn_cookie = FREE_UPVAR_COOKIE;
+         uintN nargs = fun->nargs;
+         if (nargs) {
+             jsuword *names = js_GetLocalNameArray(cx, fun, &cx->tempPool);
+             if (!names) {
+                 fn = NULL;
+             } else {
+                 for (uintN i = 0; i < nargs; i++) {
+                     JSAtom *name = JS_LOCAL_NAME_TO_ATOM(names[i]);
+                     if (!DefineArg(fn, name, i, &funcg)) {
+                         fn = NULL;
+                         break;
+                     }
+                 }
+             }
+         }
+     }
      /*
       * Farble the body so that it looks like a block statement to js_EmitTree,
-      * which is called beneath FunctionBody; see Statements, further below in
+      * which is called from js_EmitFunctionBody (see jsemit.cpp).  After we're
-      * this file.  FunctionBody pushes a STMT_BLOCK record around its call to
+      * done parsing, we must fold constants, analyze any nested functions, and
-      * Statements, so Statements will not compile each statement as it loops
+      * generate code for this function, including a stop opcode at the end.
-      * to save JSParseNode space -- it will not compile at all, only build a
-      * JSParseNode tree.
-      *
-      * Therefore we must fold constants, allocate try notes, and generate code
-      * for this function, including a stop opcode at the end.
       */
-     CURRENT_TOKEN(&pc.tokenStream).type = TOK_LC;
+     CURRENT_TOKEN(&jsc.tokenStream).type = TOK_LC;
-     pn = FunctionBody(cx, &pc.tokenStream, &funcg.treeContext);
+     JSParseNode *pn = fn ? FunctionBody(cx, &jsc.tokenStream, &funcg) : NULL;
      if (pn) {
-         if (!js_MatchToken(cx, &pc.tokenStream, TOK_EOF)) {
+         if (!js_MatchToken(cx, &jsc.tokenStream, TOK_EOF)) {
-             js_ReportCompileErrorNumber(cx, &pc.tokenStream, NULL,
+             js_ReportCompileErrorNumber(cx, &jsc.tokenStream, NULL,
                                          JSREPORT_ERROR, JSMSG_SYNTAX_ERROR);
              pn = NULL;
+         } else if (!js_FoldConstants(cx, pn, &funcg)) {
+             /* js_FoldConstants reported the error already. */
+             pn = NULL;
+         } else if (funcg.functionList &&
+                    !jsc.analyzeFunctions(funcg.functionList, funcg.flags)) {
+             pn = NULL;
          } else {
-             if (!js_FoldConstants(cx, pn, &funcg.treeContext) ||
+             if (fn->pn_body) {
-                 !js_EmitFunctionScript(cx, &funcg, pn)) {
+                 JS_ASSERT(PN_TYPE(fn->pn_body) == TOK_ARGSBODY);
-                 pn = NULL;
+                 fn->pn_body->append(pn);
+                 fn->pn_body->pn_pos = pn->pn_pos;
+                 pn = fn->pn_body;
              }
+             if (!js_EmitFunctionScript(cx, &funcg, pn))
+                 pn = NULL;
          }
      }
      /* Restore saved state and release code generation arenas. */
-     js_FinishCodeGenerator(cx, &funcg);
      JS_FinishArenaPool(&codePool);
      JS_FinishArenaPool(&notePool);
-     js_FinishParseContext(cx, &pc);
      return pn != NULL;
  }
-Line 963
+Line 1546
  (*Binder)(JSContext *cx, BindData *data, JSAtom *atom, JSTreeContext *tc);
  struct BindData {
-     JSParseNode             *pn;                /* error source coordinate */
+     BindData() : fresh(true) {}
-     JSOp                    op;                 /* prolog bytecode or nop */
-     Binder                  binder;             /* binder, discriminates u */
+     JSParseNode     *pn;        /* name node for definition processing and
+                                    error source coordinates */
+     JSOp            op;         /* prolog bytecode or nop */
+     Binder          binder;     /* binder, discriminates u */
      union {
          struct {
-             uintN           overflow;
+             uintN   overflow;
          } let;
-     } u;
+     };
+     bool fresh;
  };
  static JSBool
- BindArg(JSContext *cx, JSAtom *atom, JSTreeContext *tc)
- {
-     const char *name;
-     /*
-      * Check for a duplicate parameter name, a "feature" required by ECMA-262.
-      */
-     JS_ASSERT(tc->flags & TCF_IN_FUNCTION);
-     if (js_LookupLocal(cx, tc->u.fun, atom, NULL) != JSLOCAL_NONE) {
-         name = js_AtomToPrintableString(cx, atom);
-         if (!name ||
-             !js_ReportCompileErrorNumber(cx, TS(tc->parseContext), NULL,
-                                          JSREPORT_WARNING | JSREPORT_STRICT,
-                                          JSMSG_DUPLICATE_FORMAL,
-                                          name)) {
-             return JS_FALSE;
-         }
-     }
-     return js_AddLocal(cx, tc->u.fun, atom, JSLOCAL_ARG);
- }
- static JSBool
  BindLocalVariable(JSContext *cx, JSFunction *fun, JSAtom *atom,
                    JSLocalKind localKind)
  {
-Line 1005
+Line 1569
      /*
       * Don't bind a variable with the hidden name 'arguments', per ECMA-262.
       * Instead 'var arguments' always restates the predefined property of the
-      * activation objects with unhidden name 'arguments'.  Assignment to such
+      * activation objects whose name is 'arguments'. Assignment to such a
-      * a variable must be handled specially.
+      * variable must be handled specially.
       */
      if (atom == cx->runtime->atomState.argumentsAtom)
          return JS_TRUE;
-Line 1027
+Line 1591
                       JSTreeContext *tc)
  {
      JSAtomListElement *ale;
-     const char *name;
+     JSParseNode *pn;
+     /* Flag tc so we don't have to lookup arguments on every use. */
+     if (atom == tc->compiler->context->runtime->atomState.argumentsAtom)
+         tc->flags |= TCF_FUN_PARAM_ARGUMENTS;
      JS_ASSERT(tc->flags & TCF_IN_FUNCTION);
-     ATOM_LIST_SEARCH(ale, &tc->decls, atom);
+     ale = tc->decls.lookup(atom);
-     if (!ale) {
+     pn = data->pn;
-         ale = js_IndexAtom(cx, atom, &tc->decls);
+     if (!ale && !Define(pn, atom, tc))
-         if (!ale)
+         return JS_FALSE;
-             return JS_FALSE;
-         ALE_SET_JSOP(ale, data->op);
-     }
-     if (js_LookupLocal(cx, tc->u.fun, atom, NULL) != JSLOCAL_NONE) {
+     JSLocalKind localKind = js_LookupLocal(cx, tc->fun, atom, NULL);
-         name = js_AtomToPrintableString(cx, atom);
+     if (localKind != JSLOCAL_NONE) {
-         if (!name ||
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), NULL,
-             !js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+                                     JSREPORT_ERROR, JSMSG_DESTRUCT_DUP_ARG);
-                                          JSREPORT_WARNING | JSREPORT_STRICT,
+         return JS_FALSE;
-                                          JSMSG_DUPLICATE_FORMAL,
-                                          name)) {
-             return JS_FALSE;
-         }
-     } else {
-         if (!BindLocalVariable(cx, tc->u.fun, atom, JSLOCAL_VAR))
-             return JS_FALSE;
      }
+     uintN index = tc->fun->u.i.nvars;
+     if (!BindLocalVariable(cx, tc->fun, atom, JSLOCAL_VAR))
+         return JS_FALSE;
+     pn->pn_op = JSOP_SETLOCAL;
+     pn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, index);
+     pn->pn_dflags |= PND_BOUND;
      return JS_TRUE;
  }
  #endif /* JS_HAS_DESTRUCTURING */
- static JSFunction *
+ JSFunction *
- NewCompilerFunction(JSContext *cx, JSTreeContext *tc, JSAtom *atom,
+ JSCompiler::newFunction(JSTreeContext *tc, JSAtom *atom, uintN lambda)
-                     uintN lambda)
  {
      JSObject *parent;
      JSFunction *fun;
      JS_ASSERT((lambda & ~JSFUN_LAMBDA) == 0);
-     parent = (tc->flags & TCF_IN_FUNCTION)
-              ? FUN_OBJECT(tc->u.fun)
+     /*
-              : tc->u.scopeChain;
+      * Find the global compilation context in order to pre-set the newborn
-     fun = js_NewFunction(cx, NULL, NULL, 0, JSFUN_INTERPRETED | lambda,
+      * function's parent slot to tc->scopeChain. If the global context is a
+      * compile-and-go one, we leave the pre-set parent intact; otherwise we
+      * clear parent and proto.
+      */
+     while (tc->parent)
+         tc = tc->parent;
+     parent = (tc->flags & TCF_IN_FUNCTION) ? NULL : tc->scopeChain;
+     fun = js_NewFunction(context, NULL, NULL, 0, JSFUN_INTERPRETED | lambda,
                           parent, atom);
      if (fun && !(tc->flags & TCF_COMPILE_N_GO)) {
          STOBJ_CLEAR_PARENT(FUN_OBJECT(fun));
          STOBJ_CLEAR_PROTO(FUN_OBJECT(fun));
-Line 1075
+Line 1648
      return fun;
  }
+ static JSBool
+ MatchOrInsertSemicolon(JSContext *cx, JSTokenStream *ts)
+ {
+     JSTokenType tt;
+     ts->flags |= TSF_OPERAND;
+     tt = js_PeekTokenSameLine(cx, ts);
+     ts->flags &= ~TSF_OPERAND;
+     if (tt == TOK_ERROR)
+         return JS_FALSE;
+     if (tt != TOK_EOF && tt != TOK_EOL && tt != TOK_SEMI && tt != TOK_RC) {
+         js_ReportCompileErrorNumber(cx, ts, NULL, JSREPORT_ERROR,
+                                     JSMSG_SEMI_BEFORE_STMNT);
+         return JS_FALSE;
+     }
+     (void) js_MatchToken(cx, ts, TOK_SEMI);
+     return JS_TRUE;
+ }
+ bool
+ JSCompiler::analyzeFunctions(JSFunctionBox *funbox, uint16& tcflags)
+ {
+     if (!markFunArgs(funbox, tcflags))
+         return false;
+     setFunctionKinds(funbox, tcflags);
+     return true;
+ }
+ /*
+  * Mark as funargs any functions that reach up to one or more upvars across an
+  * already-known funarg. The parser will flag the o_m lambda as a funarg in:
+  *
+  *   function f(o, p) {
+  *       o.m = function o_m(a) {
+  *           function g() { return p; }
+  *           function h() { return a; }
+  *           return g() + h();
+  *       }
+  *   }
+  *
+  * but without this extra marking phase, function g will not be marked as a
+  * funarg since it is called from within its parent scope. But g reaches up to
+  * f's parameter p, so if o_m escapes f's activation scope, g does too and
+  * cannot use JSOP_GETUPVAR to reach p. In contast function h neither escapes
+  * nor uses an upvar "above" o_m's level.
+  *
+  * If function g itself contained lambdas that contained non-lambdas that reach
+  * up above its level, then those non-lambdas would have to be marked too. This
+  * process is potentially exponential in the number of functions, but generally
+  * not so complex. But it can't be done during a single recursive traversal of
+  * the funbox tree, so we must use a work queue.
+  *
+  * Return the minimal "skipmin" for funbox and its siblings. This is the delta
+  * between the static level of the bodies of funbox and its peers (which must
+  * be funbox->level + 1), and the static level of the nearest upvar among all
+  * the upvars contained by funbox and its peers. If there are no upvars, return
+  * FREE_STATIC_LEVEL. Thus this function never returns 0.
+  */
+ static uintN
+ FindFunArgs(JSFunctionBox *funbox, int level, JSFunctionBoxQueue *queue)
+ {
+     uintN allskipmin = FREE_STATIC_LEVEL;
+     do {
+         JSParseNode *fn = funbox->node;
+         JSFunction *fun = (JSFunction *) funbox->object;
+         int fnlevel = level;
+         /*
+          * An eval can leak funbox, functions along its ancestor line, and its
+          * immediate kids. Since FindFunArgs uses DFS and the parser propagates
+          * TCF_FUN_HEAVYWEIGHT bottom up, funbox's ancestor function nodes have
+          * already been marked as funargs by this point. Therefore we have to
+          * flag only funbox->node and funbox->kids' nodes here.
+          */
+         if (funbox->tcflags & TCF_FUN_HEAVYWEIGHT) {
+             fn->setFunArg();
+             for (JSFunctionBox *kid = funbox->kids; kid; kid = kid->siblings)
+                 kid->node->setFunArg();
+         }
+         /*
+          * Compute in skipmin the least distance from fun's static level up to
+          * an upvar, whether used directly by fun, or indirectly by a function
+          * nested in fun.
+          */
+         uintN skipmin = FREE_STATIC_LEVEL;
+         JSParseNode *pn = fn->pn_body;
+         if (pn->pn_type == TOK_UPVARS) {
+             JSAtomList upvars(pn->pn_names);
+             JS_ASSERT(upvars.count != 0);
+             JSAtomListIterator iter(&upvars);
+             JSAtomListElement *ale;
+             while ((ale = iter()) != NULL) {
+                 JSDefinition *lexdep = ALE_DEFN(ale)->resolve();
+                 if (!lexdep->isFreeVar()) {
+                     uintN upvarLevel = lexdep->frameLevel();
+                     if (int(upvarLevel) <= fnlevel)
+                         fn->setFunArg();
+                     uintN skip = (funbox->level + 1) - upvarLevel;
+                     if (skip < skipmin)
+                         skipmin = skip;
+                 }
+             }
+         }
+         /*
+          * If this function escapes, whether directly (the parser detects such
+          * escapes) or indirectly (because this non-escaping function uses an
+          * upvar that reaches across an outer function boundary where the outer
+          * function escapes), enqueue it for further analysis, and bump fnlevel
+          * to trap any non-escaping children.
+          */
+         if (fn->isFunArg()) {
+             queue->push(funbox);
+             fnlevel = int(funbox->level);
+         }
+         /*
+          * Now process the current function's children, and recalibrate their
+          * cumulative skipmin to be relative to the current static level.
+          */
+         if (funbox->kids) {
+             uintN kidskipmin = FindFunArgs(funbox->kids, fnlevel, queue);
+             JS_ASSERT(kidskipmin != 0);
+             if (kidskipmin != FREE_STATIC_LEVEL) {
+                 --kidskipmin;
+                 if (kidskipmin != 0 && kidskipmin < skipmin)
+                     skipmin = kidskipmin;
+             }
+         }
+         /*
+          * Finally, after we've traversed all of the current function's kids,
+          * minimize fun's skipmin against our accumulated skipmin. Do likewise
+          * with allskipmin, but minimize across funbox and all of its siblings,
+          * to compute our return value.
+          */
+         if (skipmin != FREE_STATIC_LEVEL) {
+             fun->u.i.skipmin = skipmin;
+             if (skipmin < allskipmin)
+                 allskipmin = skipmin;
+         }
+     } while ((funbox = funbox->siblings) != NULL);
+     return allskipmin;
+ }
+ bool
+ JSCompiler::markFunArgs(JSFunctionBox *funbox, uintN tcflags)
+ {
+     JSFunctionBoxQueue queue;
+     if (!queue.init(functionCount))
+         return false;
+     FindFunArgs(funbox, -1, &queue);
+     while ((funbox = queue.pull()) != NULL) {
+         JSParseNode *fn = funbox->node;
+         JS_ASSERT(fn->isFunArg());
+         JSParseNode *pn = fn->pn_body;
+         if (pn->pn_type == TOK_UPVARS) {
+             JSAtomList upvars(pn->pn_names);
+             JS_ASSERT(upvars.count != 0);
+             JSAtomListIterator iter(&upvars);
+             JSAtomListElement *ale;
+             while ((ale = iter()) != NULL) {
+                 JSDefinition *lexdep = ALE_DEFN(ale)->resolve();
+                 if (!lexdep->isFreeVar() &&
+                     !lexdep->isFunArg() &&
+                     lexdep->kind() == JSDefinition::FUNCTION) {
+                     /*
+                      * Mark this formerly-Algol-like function as an escaping
+                      * function (i.e., as a funarg), because it is used from a
+                      * funarg and therefore can not use JSOP_{GET,CALL}UPVAR to
+                      * access upvars.
+                      *
+                      * Progress is guaranteed because we set the funarg flag
+                      * here, which suppresses revisiting this function (thanks
+                      * to the !lexdep->isFunArg() test just above).
+                      */
+                     lexdep->setFunArg();
+                     JSFunctionBox *afunbox = lexdep->pn_funbox;
+                     queue.push(afunbox);
+                     /*
+                      * Walk over nested functions again, now that we have
+                      * changed the level across which it is unsafe to access
+                      * upvars using the runtime dynamic link (frame chain).
+                      */
+                     if (afunbox->kids)
+                         FindFunArgs(afunbox->kids, afunbox->level, &queue);
+                 }
+             }
+         }
+     }
+     return true;
+ }
+ static uint32
+ MinBlockId(JSParseNode *fn, uint32 id)
+ {
+     if (fn->pn_blockid < id)
+         return false;
+     if (fn->pn_defn) {
+         for (JSParseNode *pn = fn->dn_uses; pn; pn = pn->pn_link) {
+             if (pn->pn_blockid < id)
+                 return false;
+         }
+     }
+     return true;
+ }
+ static bool
+ OneBlockId(JSParseNode *fn, uint32 id)
+ {
+     if (fn->pn_blockid != id)
+         return false;
+     if (fn->pn_defn) {
+         for (JSParseNode *pn = fn->dn_uses; pn; pn = pn->pn_link) {
+             if (pn->pn_blockid != id)
+                 return false;
+         }
+     }
+     return true;
+ }
+ void
+ JSCompiler::setFunctionKinds(JSFunctionBox *funbox, uint16& tcflags)
+ {
+ #ifdef JS_FUNCTION_METERING
+ # define FUN_METER(x)   JS_RUNTIME_METER(context->runtime, functionMeter.x)
+ #else
+ # define FUN_METER(x)   ((void)0)
+ #endif
+     JSFunctionBox *parent = funbox->parent;
+     for (;;) {
+         JSParseNode *fn = funbox->node;
+         if (funbox->kids)
+             setFunctionKinds(funbox->kids, tcflags);
+         JSParseNode *pn = fn->pn_body;
+         JSFunction *fun = (JSFunction *) funbox->object;
+         FUN_METER(allfun);
+         if (funbox->tcflags & TCF_FUN_HEAVYWEIGHT) {
+             FUN_METER(heavy);
+             JS_ASSERT(FUN_KIND(fun) == JSFUN_INTERPRETED);
+         } else if (pn->pn_type != TOK_UPVARS) {
+             /*
+              * No lexical dependencies => null closure, for best performance.
+              * A null closure needs no scope chain, but alas we've coupled
+              * principals-finding to scope (for good fundamental reasons, but
+              * the implementation overloads the parent slot and we should fix
+              * that). See, e.g., the JSOP_LAMBDA case in jsinterp.cpp.
+              *
+              * In more detail: the ES3 spec allows the implementation to create
+              * "joined function objects", or not, at its discretion. But real-
+              * world implementations always create unique function objects for
+              * closures, and this can be detected via mutation. Open question:
+              * do popular implementations create unique function objects for
+              * null closures?
+              *
+              * FIXME: bug 476950.
+              */
+             FUN_METER(nofreeupvar);
+             FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+         } else {
+             JSAtomList upvars(pn->pn_names);
+             JS_ASSERT(upvars.count != 0);
+             JSAtomListIterator iter(&upvars);
+             JSAtomListElement *ale;
+             if (!fn->isFunArg()) {
+                 /*
+                  * This function is Algol-like, it never escapes. So long as it
+                  * does not assign to outer variables, it needs only an upvars
+                  * array in its script and JSOP_{GET,CALL}UPVAR opcodes in its
+                  * bytecode to reach up the frame stack at runtime based on
+                  * those upvars' cookies.
+                  *
+                  * Any assignments to upvars from functions called by this one
+                  * will be coherent because of the JSOP_{GET,CALL}UPVAR ops,
+                  * which load from stack homes when interpreting or from native
+                  * stack slots when executing a trace.
+                  *
+                  * We could add JSOP_SETUPVAR, etc., but it is uncommon for a
+                  * nested function to assign to an outer lexical variable, so
+                  * we defer adding yet more code footprint in the absence of
+                  * evidence motivating these opcodes.
+                  */
+                 bool mutation = !!(funbox->tcflags & TCF_FUN_SETS_OUTER_NAME);
+                 uintN nupvars = 0;
+                 /*
+                  * Check that at least one outer lexical binding was assigned
+                  * to (global variables don't count). This is conservative: we
+                  * could limit assignments to those in the current function,
+                  * but that's too much work. As with flat closures (handled
+                  * below), we optimize for the case where outer bindings are
+                  * not reassigned anywhere.
+                  */
+                 while ((ale = iter()) != NULL) {
+                     JSDefinition *lexdep = ALE_DEFN(ale)->resolve();
+                     if (!lexdep->isFreeVar()) {
+                         JS_ASSERT(lexdep->frameLevel() <= funbox->level);
+                         ++nupvars;
+                         if (lexdep->isAssigned())
+                             break;
+                     }
+                 }
+                 if (!ale)
+                     mutation = false;
+                 if (nupvars == 0) {
+                     FUN_METER(onlyfreevar);
+                     FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+                 } else if (!mutation && !(funbox->tcflags & TCF_FUN_IS_GENERATOR)) {
+                     /*
+                      * Algol-like functions can read upvars using the dynamic
+                      * link (cx->fp/fp->down). They do not need to entrain and
+                      * search their environment.
+                      */
+                     FUN_METER(display);
+                     FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+                 } else {
+                     if (!(funbox->tcflags & TCF_FUN_IS_GENERATOR))
+                         FUN_METER(setupvar);
+                 }
+             } else {
+                 uintN nupvars = 0;
+                 /*
+                  * For each lexical dependency from this closure to an outer
+                  * binding, analyze whether it is safe to copy the binding's
+                  * value into a flat closure slot when the closure is formed.
+                  */
+                 while ((ale = iter()) != NULL) {
+                     JSDefinition *lexdep = ALE_DEFN(ale)->resolve();
+                     if (!lexdep->isFreeVar()) {
+                         ++nupvars;
+                         /*
+                          * Consider the current function (the lambda, innermost
+                          * below) using a var x defined two static levels up:
+                          *
+                          *  function f() {
+                          *      // z = g();
+                          *      var x = 42;
+                          *      function g() {
+                          *          return function () { return x; };
+                          *      }
+                          *      return g();
+                          *  }
+                          *
+                          * So long as (1) the initialization in 'var x = 42'
+                          * dominates all uses of g and (2) x is not reassigned,
+                          * it is safe to optimize the lambda to a flat closure.
+                          * Uncommenting the early call to g makes it unsafe to
+                          * so optimize (z could name a global setter that calls
+                          * its argument).
+                          */
+                         JSFunctionBox *afunbox = funbox;
+                         uintN lexdepLevel = lexdep->frameLevel();
+                         JS_ASSERT(lexdepLevel <= funbox->level);
+                         while (afunbox->level != lexdepLevel) {
+                             afunbox = afunbox->parent;
+                             /*
+                              * afunbox can't be null because we are sure
+                              * to find a function box whose level == lexdepLevel
+                              * before walking off the top of the funbox tree.
+                              * See bug 493260 comments 16-18.
+                              *
+                              * Assert but check anyway, to check future changes
+                              * that bind eval upvars in the parser.
+                              */
+                             JS_ASSERT(afunbox);
+                             /*
+                              * If this function is reaching up across an
+                              * enclosing funarg, we cannot make a flat
+                              * closure. The display stops working once the
+                              * funarg escapes.
+                              */
+                             if (!afunbox || afunbox->node->isFunArg())
+                                 goto break2;
+                         }
+                         /*
+                          * If afunbox's function (which is at the same level as
+                          * lexdep) is in a loop, pessimistically assume the
+                          * variable initializer may be in the same loop. A flat
+                          * closure would then be unsafe, as the captured
+                          * variable could be assigned after the closure is
+                          * created. See bug 493232.
+                          */
+                         if (afunbox->inLoop)
+                             break;
+                         /*
+                          * with and eval defeat lexical scoping; eval anywhere
+                          * in a variable's scope can assign to it. Both defeat
+                          * the flat closure optimization. The parser detects
+                          * these cases and flags the function heavyweight.
+                          */
+                         if ((afunbox->parent ? afunbox->parent->tcflags : tcflags)
+                             & TCF_FUN_HEAVYWEIGHT) {
+                             break;
+                         }
+                         /*
+                          * If afunbox's function is not a lambda, it will be
+                          * hoisted, so it could capture the undefined value
+                          * that by default initializes var/let/const
+                          * bindings. And if lexdep is a function that comes at
+                          * (meaning a function refers to its own name) or
+                          * strictly after afunbox, we also break to defeat the
+                          * flat closure optimization.
+                          */
+                         JSFunction *afun = (JSFunction *) afunbox->object;
+                         if (!(afun->flags & JSFUN_LAMBDA)) {
+                             if (lexdep->isBindingForm())
+                                 break;
+                             if (lexdep->pn_pos >= afunbox->node->pn_pos)
+                                 break;
+                         }
+                         if (!lexdep->isInitialized())
+                             break;
+                         JSDefinition::Kind lexdepKind = lexdep->kind();
+                         if (lexdepKind != JSDefinition::CONST) {
+                             if (lexdep->isAssigned())
+                                 break;
+                             /*
+                              * Any formal could be mutated behind our back via
+                              * the arguments object, so deoptimize if the outer
+                              * function uses arguments.
+                              *
+                              * In a Function constructor call where the final
+                              * argument -- the body source for the function to
+                              * create -- contains a nested function definition
+                              * or expression, afunbox->parent will be null. The
+                              * body source might use |arguments| outside of any
+                              * nested functions it may contain, so we have to
+                              * check the tcflags parameter that was passed in
+                              * from JSCompiler::compileFunctionBody.
+                              */
+                             if (lexdepKind == JSDefinition::ARG &&
+                                 ((afunbox->parent ? afunbox->parent->tcflags : tcflags) &
+                                  TCF_FUN_USES_ARGUMENTS)) {
+                                 break;
+                             }
+                         }
+                         /*
+                          * Check quick-and-dirty dominance relation. Function
+                          * definitions dominate their uses thanks to hoisting.
+                          * Other binding forms hoist as undefined, of course,
+                          * so check forward-reference and blockid relations.
+                          */
+                         if (lexdepKind != JSDefinition::FUNCTION) {
+                             /*
+                              * Watch out for code such as
+                              *
+                              *   (function () {
+                              *   ...
+                              *   var jQuery = ... = function (...) {
+                              *       return new jQuery.foo.bar(baz);
+                              *   }
+                              *   ...
+                              *   })();
+                              *
+                              * where the jQuery var is not reassigned, but of
+                              * course is not initialized at the time that the
+                              * would-be-flat closure containing the jQuery
+                              * upvar is formed.
+                              */
+                             if (lexdep->pn_pos.end >= afunbox->node->pn_pos.end)
+                                 break;
+                             if (lexdep->isTopLevel()
+                                 ? !MinBlockId(afunbox->node, lexdep->pn_blockid)
+                                 : !lexdep->isBlockChild() ||
+                                   !afunbox->node->isBlockChild() ||
+                                   !OneBlockId(afunbox->node, lexdep->pn_blockid)) {
+                                 break;
+                             }
+                         }
+                     }
+                 }
+               break2:
+                 if (nupvars == 0) {
+                     FUN_METER(onlyfreevar);
+                     FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+                 } else if (!ale) {
+                     /*
+                      * We made it all the way through the upvar loop, so it's
+                      * safe to optimize to a flat closure.
+                      */
+                     FUN_METER(flat);
+                     FUN_SET_KIND(fun, JSFUN_FLAT_CLOSURE);
+                     switch (PN_OP(fn)) {
+                       case JSOP_DEFFUN:
+                         fn->pn_op = JSOP_DEFFUN_FC;
+                         break;
+                       case JSOP_DEFLOCALFUN:
+                         fn->pn_op = JSOP_DEFLOCALFUN_FC;
+                         break;
+                       case JSOP_LAMBDA:
+                         fn->pn_op = JSOP_LAMBDA_FC;
+                         break;
+                       default:
+                         /* js_EmitTree's case TOK_FUNCTION: will select op. */
+                         JS_ASSERT(PN_OP(fn) == JSOP_NOP);
+                     }
+                 } else {
+                     FUN_METER(badfunarg);
+                 }
+             }
+         }
+         if (FUN_KIND(fun) == JSFUN_INTERPRETED) {
+             if (pn->pn_type != TOK_UPVARS) {
+                 if (parent)
+                     parent->tcflags |= TCF_FUN_HEAVYWEIGHT;
+             } else {
+                 JSAtomList upvars(pn->pn_names);
+                 JS_ASSERT(upvars.count != 0);
+                 JSAtomListIterator iter(&upvars);
+                 JSAtomListElement *ale;
+                 /*
+                  * One or more upvars cannot be safely snapshot into a flat
+                  * closure's dslot (see JSOP_GETDSLOT), so we loop again over
+                  * all upvars, and for each non-free upvar, ensure that its
+                  * containing function has been flagged as heavyweight.
+                  *
+                  * The emitter must see TCF_FUN_HEAVYWEIGHT accurately before
+                  * generating any code for a tree of nested functions.
+                  */
+                 while ((ale = iter()) != NULL) {
+                     JSDefinition *lexdep = ALE_DEFN(ale)->resolve();
+                     if (!lexdep->isFreeVar()) {
+                         JSFunctionBox *afunbox = funbox->parent;
+                         uintN lexdepLevel = lexdep->frameLevel();
+                         while (afunbox) {
+                             /*
+                              * NB: afunbox->level is the static level of
+                              * the definition or expression of the function
+                              * parsed into afunbox, not the static level of
+                              * its body. Therefore we must add 1 to match
+                              * lexdep's level to find the afunbox whose
+                              * body contains the lexdep definition.
+                              */
+                             if (afunbox->level + 1U == lexdepLevel ||
+                                 (lexdepLevel == 0 && lexdep->isLet())) {
+                                 afunbox->tcflags |= TCF_FUN_HEAVYWEIGHT;
+                                 break;
+                             }
+                             afunbox = afunbox->parent;
+                         }
+                         if (!afunbox && (tcflags & TCF_IN_FUNCTION))
+                             tcflags |= TCF_FUN_HEAVYWEIGHT;
+                     }
+                 }
+             }
+         }
+         funbox = funbox->siblings;
+         if (!funbox)
+             break;
+         JS_ASSERT(funbox->parent == parent);
+     }
+ #undef FUN_METER
+ }
+ const char js_argument_str[] = "argument";
+ const char js_variable_str[] = "variable";
+ const char js_unknown_str[]  = "unknown";
+ const char *
+ JSDefinition::kindString(Kind kind)
+ {
+     static const char *table[] = {
+         js_var_str, js_const_str, js_let_str,
+         js_function_str, js_argument_str, js_unknown_str
+     };
+     JS_ASSERT(unsigned(kind) <= unsigned(ARG));
+     return table[kind];
+ }
+ static JSFunctionBox *
+ EnterFunction(JSParseNode *fn, JSTreeContext *tc, JSTreeContext *funtc,
+               JSAtom *funAtom = NULL, uintN lambda = JSFUN_LAMBDA)
+ {
+     JSFunction *fun = tc->compiler->newFunction(tc, funAtom, lambda);
+     if (!fun)
+         return NULL;
+     /* Create box for fun->object early to protect against last-ditch GC. */
+     JSFunctionBox *funbox = tc->compiler->newFunctionBox(FUN_OBJECT(fun), fn, tc);
+     if (!funbox)
+         return NULL;
+     /* Initialize non-default members of funtc. */
+     funtc->flags |= funbox->tcflags;
+     funtc->blockidGen = tc->blockidGen;
+     if (!GenerateBlockId(funtc, funtc->bodyid))
+         return NULL;
+     funtc->fun = fun;
+     funtc->funbox = funbox;
+     funtc->parent = tc;
+     if (!SetStaticLevel(funtc, tc->staticLevel + 1))
+         return NULL;
+     return funbox;
+ }
+ static bool
+ LeaveFunction(JSParseNode *fn, JSTreeContext *funtc, JSTreeContext *tc,
+               JSAtom *funAtom = NULL, uintN lambda = JSFUN_LAMBDA)
+ {
+     tc->blockidGen = funtc->blockidGen;
+     fn->pn_funbox->tcflags |= funtc->flags & (TCF_FUN_FLAGS | TCF_COMPILE_N_GO);
+     fn->pn_dflags |= PND_INITIALIZED;
+     JS_ASSERT_IF(tc->atTopLevel() && lambda == 0 && funAtom,
+                  fn->pn_dflags & PND_TOPLEVEL);
+     if (!tc->topStmt || tc->topStmt->type == STMT_BLOCK)
+         fn->pn_dflags |= PND_BLOCKCHILD;
+     /*
+      * Propagate unresolved lexical names up to tc->lexdeps, and save a copy
+      * of funtc->lexdeps in a TOK_UPVARS node wrapping the function's formal
+      * params and body. We do this only if there are lexical dependencies not
+      * satisfied by the function's declarations, to avoid penalizing functions
+      * that use only their arguments and other local bindings.
+      */
+     if (funtc->lexdeps.count != 0) {
+         JSAtomListIterator iter(&funtc->lexdeps);
+         JSAtomListElement *ale;
+         int foundCallee = 0;
+         while ((ale = iter()) != NULL) {
+             JSAtom *atom = ALE_ATOM(ale);
+             JSDefinition *dn = ALE_DEFN(ale);
+             JS_ASSERT(dn->isPlaceholder());
+             if (atom == funAtom && lambda != 0) {
+                 dn->pn_op = JSOP_CALLEE;
+                 dn->pn_cookie = MAKE_UPVAR_COOKIE(funtc->staticLevel, CALLEE_UPVAR_SLOT);
+                 dn->pn_dflags |= PND_BOUND;
+                 /*
+                  * If this named function expression uses its own name other
+                  * than to call itself, flag this function as using arguments,
+                  * as if it had used arguments.callee instead of its own name.
+                  *
+                  * This abuses the plain sense of TCF_FUN_USES_ARGUMENTS, but
+                  * we are out of tcflags bits at the moment. If it deoptimizes
+                  * code unfairly (see JSCompiler::setFunctionKinds, where this
+                  * flag is interpreted in its broader sense, not only to mean
+                  * "this function might leak arguments.callee"), we can perhaps
+                  * try to work harder to add a TCF_FUN_LEAKS_ITSELF flag and
+                  * use that more precisely, both here and for unnamed function
+                  * expressions.
+                  */
+                 if (dn->isFunArg())
+                     fn->pn_funbox->tcflags |= TCF_FUN_USES_ARGUMENTS;
+                 foundCallee = 1;
+                 continue;
+             }
+             if (!(fn->pn_funbox->tcflags & TCF_FUN_SETS_OUTER_NAME) &&
+                 dn->isAssigned()) {
+                 /*
+                  * Make sure we do not fail to set TCF_FUN_SETS_OUTER_NAME if
+                  * any use of dn in funtc assigns. See NoteLValue for the easy
+                  * backward-reference case; this is the hard forward-reference
+                  * case where we pay a higher price.
+                  */
+                 for (JSParseNode *pnu = dn->dn_uses; pnu; pnu = pnu->pn_link) {
+                     if (pnu->isAssigned() && pnu->pn_blockid >= funtc->bodyid) {
+                         fn->pn_funbox->tcflags |= TCF_FUN_SETS_OUTER_NAME;
+                         break;
+                     }
+                 }
+             }
+             JSAtomListElement *outer_ale = tc->decls.lookup(atom);
+             if (!outer_ale)
+                 outer_ale = tc->lexdeps.lookup(atom);
+             if (outer_ale) {
+                 /*
+                  * Insert dn's uses list at the front of outer_dn's list.
+                  *
+                  * Without loss of generality or correctness, we allow a dn to
+                  * be in inner and outer lexdeps, since the purpose of lexdeps
+                  * is one-pass coordination of name use and definition across
+                  * functions, and if different dn's are used we'll merge lists
+                  * when leaving the inner function.
+                  *
+                  * The dn == outer_dn case arises with generator expressions
+                  * (see CompExprTransplanter::transplant, the PN_FUNC/PN_NAME
+                  * case), and nowhere else, currently.
+                  */
+                 JSDefinition *outer_dn = ALE_DEFN(outer_ale);
+                 if (dn != outer_dn) {
+                     JSParseNode **pnup = &dn->dn_uses;
+                     JSParseNode *pnu;
+                     while ((pnu = *pnup) != NULL) {
+                         pnu->pn_lexdef = outer_dn;
+                         pnup = &pnu->pn_link;
+                     }
+                     /*
+                      * Make dn be a use that redirects to outer_dn, because we
+                      * can't replace dn with outer_dn in all the pn_namesets in
+                      * the AST where it may be. Instead we make it forward to
+                      * outer_dn. See JSDefinition::resolve.
+                      */
+                     *pnup = outer_dn->dn_uses;
+                     outer_dn->dn_uses = dn;
+                     outer_dn->pn_dflags |= dn->pn_dflags & ~PND_PLACEHOLDER;
+                     dn->pn_defn = false;
+                     dn->pn_used = true;
+                     dn->pn_lexdef = outer_dn;
+                 }
+             } else {
+                 /* Add an outer lexical dependency for ale's definition. */
+                 outer_ale = tc->lexdeps.add(tc->compiler, atom);
+                 if (!outer_ale)
+                     return false;
+                 ALE_SET_DEFN(outer_ale, ALE_DEFN(ale));
+             }
+         }
+         if (funtc->lexdeps.count - foundCallee != 0) {
+             JSParseNode *body = fn->pn_body;
+             fn->pn_body = NewParseNode(PN_NAMESET, tc);
+             if (!fn->pn_body)
+                 return false;
+             fn->pn_body->pn_type = TOK_UPVARS;
+             fn->pn_body->pn_pos = body->pn_pos;
+             if (foundCallee)
+                 funtc->lexdeps.remove(tc->compiler, funAtom);
+             fn->pn_body->pn_names = funtc->lexdeps;
+             fn->pn_body->pn_tree = body;
+         }
+         funtc->lexdeps.clear();
+     }
+     return true;
+ }
  static JSParseNode *
  FunctionDef(JSContext *cx, JSTokenStream *ts, JSTreeContext *tc,
              uintN lambda)
  {
-     JSOp op, prevop;
+     JSOp op;
      JSParseNode *pn, *body, *result;
      JSTokenType tt;
      JSAtom *funAtom;
-     JSParsedObjectBox *funpob;
      JSAtomListElement *ale;
-     JSFunction *fun;
-     JSTreeContext funtc;
  #if JS_HAS_DESTRUCTURING
      JSParseNode *item, *list = NULL;
+     bool destructuringArg = false, duplicatedArg = false;
  #endif
      /* Make a TOK_FUNCTION node. */
  #if JS_HAS_GETTER_SETTER
      op = CURRENT_TOKEN(ts).t_op;
  #endif
-     pn = NewParseNode(cx, ts, PN_FUNC, tc);
+     pn = NewParseNode(PN_FUNC, tc);
      if (!pn)
          return NULL;
- #ifdef DEBUG
+     pn->pn_body = NULL;
-     pn->pn_index = (uint32) -1;
+     pn->pn_cookie = FREE_UPVAR_COOKIE;
- #endif
+     /*
+      * If a lambda, give up on JSOP_{GET,CALL}UPVAR usage unless this function
+      * is immediately applied (we clear PND_FUNARG if so -- see MemberExpr).
+      *
+      * Also treat function sub-statements (non-lambda, non-top-level functions)
+      * as escaping funargs, since we can't statically analyze their definitions
+      * and uses.
+      */
+     bool topLevel = tc->atTopLevel();
+     pn->pn_dflags = (lambda || !topLevel) ? PND_FUNARG : 0;
      /* Scan the optional function name into funAtom. */
      ts->flags |= TSF_KEYWORD_IS_NAME;
-Line 1123
+Line 2490
       * avoid optimizing variable references that might name a function.
       */
      if (lambda == 0 && funAtom) {
-         ATOM_LIST_SEARCH(ale, &tc->decls, funAtom);
+         ale = tc->decls.lookup(funAtom);
          if (ale) {
-             prevop = ALE_JSOP(ale);
+             JSDefinition *dn = ALE_DEFN(ale);
-             if (JS_HAS_STRICT_OPTION(cx) || prevop == JSOP_DEFCONST) {
+             JSDefinition::Kind dn_kind = dn->kind();
+             JS_ASSERT(!dn->pn_used);
+             JS_ASSERT(dn->pn_defn);
+             if (JS_HAS_STRICT_OPTION(cx) || dn_kind == JSDefinition::CONST) {
                  const char *name = js_AtomToPrintableString(cx, funAtom);
                  if (!name ||
                      !js_ReportCompileErrorNumber(cx, ts, NULL,
-                                                  (prevop != JSOP_DEFCONST)
+                                                  (dn_kind != JSDefinition::CONST)
-                                                  ? JSREPORT_WARNING |
+                                                  ? JSREPORT_WARNING | JSREPORT_STRICT
-                                                    JSREPORT_STRICT
                                                   : JSREPORT_ERROR,
                                                   JSMSG_REDECLARED_VAR,
-                                                  (prevop == JSOP_DEFFUN)
+                                                  JSDefinition::kindString(dn_kind),
-                                                  ? js_function_str
-                                                  : (prevop == JSOP_DEFCONST)
-                                                  ? js_const_str
-                                                  : js_var_str,
                                                   name)) {
                      return NULL;
                  }
              }
-             if (!AT_TOP_LEVEL(tc) && prevop == JSOP_DEFVAR)
-                 tc->flags |= TCF_FUN_CLOSURE_VS_VAR;
+             if (topLevel) {
-         } else {
+                 ALE_SET_DEFN(ale, pn);
-             ale = js_IndexAtom(cx, funAtom, &tc->decls);
+                 pn->pn_defn = true;
-             if (!ale)
+                 pn->dn_uses = dn;               /* dn->dn_uses is now pn_link */
+                 if (!MakeDefIntoUse(dn, pn, funAtom, tc))
+                     return NULL;
+             }
+         } else if (topLevel) {
+             /*
+              * If this function was used before it was defined, claim the
+              * pre-created definition node for this function that PrimaryExpr
+              * put in tc->lexdeps on first forward reference, and recycle pn.
+              */
+             JSHashEntry **hep;
+             ale = tc->lexdeps.rawLookup(funAtom, hep);
+             if (ale) {
+                 JSDefinition *fn = ALE_DEFN(ale);
+                 JS_ASSERT(fn->pn_defn);
+                 fn->pn_type = TOK_FUNCTION;
+                 fn->pn_arity = PN_FUNC;
+                 fn->pn_pos.begin = pn->pn_pos.begin;
+                 fn->pn_body = NULL;
+                 fn->pn_cookie = FREE_UPVAR_COOKIE;
+                 tc->lexdeps.rawRemove(tc->compiler, ale, hep);
+                 RecycleTree(pn, tc);
+                 pn = fn;
+             }
+             if (!Define(pn, funAtom, tc))
                  return NULL;
          }
-         ALE_SET_JSOP(ale, JSOP_DEFFUN);
          /*
           * A function nested at top level inside another's body needs only a
-Line 1161
+Line 2556
           * wins when jsemit.c's BindNameToSlot can optimize a JSOP_NAME into a
           * JSOP_GETLOCAL bytecode).
           */
-         if (AT_TOP_LEVEL(tc) && (tc->flags & TCF_IN_FUNCTION)) {
+         if (topLevel) {
-             JSLocalKind localKind;
+             pn->pn_dflags |= PND_TOPLEVEL;
-             /*
+             if (tc->flags & TCF_IN_FUNCTION) {
-              * Define a property on the outer function so that BindNameToSlot
+                 JSLocalKind localKind;
-              * can properly optimize accesses. Note that we need a variable,
+                 uintN index;
-              * not an argument, for the function statement. Thus we add a
-              * variable even if the parameter with the given name already
+                 /*
-              * exists.
+                  * Define a local in the outer function so that BindNameToSlot
-              */
+                  * can properly optimize accesses. Note that we need a local
-             localKind = js_LookupLocal(cx, tc->u.fun, funAtom, NULL);
+                  * variable, not an argument, for the function statement. Thus
-             if (localKind == JSLOCAL_NONE || localKind == JSLOCAL_ARG) {
+                  * we add a variable even if a parameter with the given name
-                 if (!js_AddLocal(cx, tc->u.fun, funAtom, JSLOCAL_VAR))
+                  * already exists.
-                     return NULL;
+                  */
+                 localKind = js_LookupLocal(cx, tc->fun, funAtom, &index);
+                 switch (localKind) {
+                   case JSLOCAL_NONE:
+                   case JSLOCAL_ARG:
+                     index = tc->fun->u.i.nvars;
+                     if (!js_AddLocal(cx, tc->fun, funAtom, JSLOCAL_VAR))
+                         return NULL;
+                     /* FALL THROUGH */
+                   case JSLOCAL_VAR:
+                     pn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, index);
+                     pn->pn_dflags |= PND_BOUND;
+                     break;
+                   default:;
+                 }
              }
          }
      }
-     fun = NewCompilerFunction(cx, tc, funAtom, lambda);
+     /* Initialize early for possible flags mutation via DestructuringExpr. */
-     if (!fun)
+     JSTreeContext funtc(tc->compiler);
+     JSFunctionBox *funbox = EnterFunction(pn, tc, &funtc, funAtom, lambda);
+     if (!funbox)
          return NULL;
+     JSFunction *fun = (JSFunction *) funbox->object;
  #if JS_HAS_GETTER_SETTER
      if (op != JSOP_NOP)
          fun->flags |= (op == JSOP_GETTER) ? JSPROP_GETTER : JSPROP_SETTER;
  #endif
-     /*
-      * Create wrapping box for fun->object early to protect against a
-      * last-ditch GC.
-      */
-     funpob = js_NewParsedObjectBox(cx, tc->parseContext, FUN_OBJECT(fun));
-     if (!funpob)
-         return NULL;
-     /* Initialize early for possible flags mutation via DestructuringExpr. */
-     TREE_CONTEXT_INIT(&funtc, tc->parseContext);
-     funtc.flags |= TCF_IN_FUNCTION | (tc->flags & TCF_COMPILE_N_GO);
-     funtc.u.fun = fun;
      /* Now parse formal argument list and compute fun->nargs. */
      MUST_MATCH_TOKEN(TOK_LP, JSMSG_PAREN_BEFORE_FORMAL);
      if (!js_MatchToken(cx, ts, TOK_RP)) {
-Line 1215
+Line 2618
                  JSParseNode *lhs, *rhs;
                  jsint slot;
+                 /* See comment below in the TOK_NAME case. */
+                 if (duplicatedArg)
+                     goto report_dup_and_destructuring;
+                 destructuringArg = true;
                  /*
                   * A destructuring formal parameter turns into one or more
                   * local variables initialized from properties of a single
-Line 1241
+Line 2649
                   * anonymous positional parameter into the destructuring
                   * left-hand-side expression and accumulate it in list.
                   */
-                 rhs = NewParseNode(cx, ts, PN_NAME, tc);
+                 rhs = NewNameNode(cx, ts, cx->runtime->atomState.emptyAtom, &funtc);
                  if (!rhs)
                      return NULL;
                  rhs->pn_type = TOK_NAME;
                  rhs->pn_op = JSOP_GETARG;
-                 rhs->pn_atom = cx->runtime->atomState.emptyAtom;
+                 rhs->pn_cookie = MAKE_UPVAR_COOKIE(funtc.staticLevel, slot);
-                 rhs->pn_slot = slot;
+                 rhs->pn_dflags |= PND_BOUND;
-                 item = NewBinary(cx, TOK_ASSIGN, JSOP_NOP, lhs, rhs, tc);
+                 item = NewBinary(TOK_ASSIGN, JSOP_NOP, lhs, rhs, &funtc);
                  if (!item)
                      return NULL;
                  if (!list) {
-                     list = NewParseNode(cx, ts, PN_LIST, tc);
+                     list = NewParseNode(PN_LIST, &funtc);
                      if (!list)
                          return NULL;
                      list->pn_type = TOK_COMMA;
-                     PN_INIT_LIST(list);
+                     list->makeEmpty();
                  }
-                 PN_APPEND(list, item);
+                 list->append(item);
                  break;
                }
  #endif /* JS_HAS_DESTRUCTURING */
                case TOK_NAME:
-                 if (!BindArg(cx, CURRENT_TOKEN(ts).t_atom, &funtc))
+               {
+                 /*
+                  * Check for a duplicate parameter name, a "feature" that
+                  * ECMA-262 requires. This is a SpiderMonkey strict warning,
+                  * soon to be an ES3.1 strict error.
+                  *
+                  * Further, if any argument is a destructuring pattern, forbid
+                  * duplicates. We will report the error either now if we have
+                  * seen a destructuring pattern already, or later when we find
+                  * the first pattern.
+                  */
+                 JSAtom *atom = CURRENT_TOKEN(ts).t_atom;
+                 if (JS_HAS_STRICT_OPTION(cx) &&
+                     js_LookupLocal(cx, fun, atom, NULL) != JSLOCAL_NONE) {
+ #if JS_HAS_DESTRUCTURING
+                     if (destructuringArg)
+                         goto report_dup_and_destructuring;
+                     duplicatedArg = true;
+ #endif
+                     const char *name = js_AtomToPrintableString(cx, atom);
+                     if (!name ||
+                         !js_ReportCompileErrorNumber(cx, TS(funtc.compiler),
+                                                      NULL,
+                                                      JSREPORT_WARNING |
+                                                      JSREPORT_STRICT,
+                                                      JSMSG_DUPLICATE_FORMAL,
+                                                      name)) {
+                         return NULL;
+                     }
+                 }
+                 if (!DefineArg(pn, atom, fun->nargs, &funtc))
+                     return NULL;
+                 if (!js_AddLocal(cx, fun, atom, JSLOCAL_ARG))
                      return NULL;
                  break;
+               }
                default:
                  js_ReportCompileErrorNumber(cx, ts, NULL, JSREPORT_ERROR,
                                              JSMSG_MISSING_FORMAL);
+                 /* FALL THROUGH */
+               case TOK_ERROR:
                  return NULL;
+ #if JS_HAS_DESTRUCTURING
+               report_dup_and_destructuring:
+                 js_ReportCompileErrorNumber(cx, TS(tc->compiler), NULL,
+                                             JSREPORT_ERROR,
+                                             JSMSG_DESTRUCT_DUP_ARG);
+                 return NULL;
+ #endif
              }
          } while (js_MatchToken(cx, ts, TOK_COMMA));
-Line 1290
+Line 2741
  #else
      MUST_MATCH_TOKEN(TOK_LC, JSMSG_CURLY_BEFORE_BODY);
  #endif
-     pn->pn_pos.begin = CURRENT_TOKEN(ts).pos.begin;
      body = FunctionBody(cx, ts, &funtc);
      if (!body)
-Line 1299
+Line 2749
  #if JS_HAS_EXPR_CLOSURES
      if (tt == TOK_LC)
          MUST_MATCH_TOKEN(TOK_RC, JSMSG_CURLY_AFTER_BODY);
-     else if (lambda == 0)
+     else if (lambda == 0 && !MatchOrInsertSemicolon(cx, ts))
-         js_MatchToken(cx, ts, TOK_SEMI);
+         return NULL;
  #else
      MUST_MATCH_TOKEN(TOK_RC, JSMSG_CURLY_AFTER_BODY);
  #endif
-Line 1318
+Line 2768
          if (body->pn_arity != PN_LIST) {
              JSParseNode *block;
-             block = NewParseNode(cx, ts, PN_LIST, tc);
+             block = NewParseNode(PN_LIST, tc);
              if (!block)
                  return NULL;
              block->pn_type = TOK_SEQ;
              block->pn_pos = body->pn_pos;
-             PN_INIT_LIST_1(block, body);
+             block->initList(body);
              body = block;
          }
-         item = NewParseNode(cx, ts, PN_UNARY, tc);
+         item = NewParseNode(PN_UNARY, tc);
          if (!item)
              return NULL;
-Line 1340
+Line 2790
          if (body->pn_tail == &body->pn_head)
              body->pn_tail = &item->pn_next;
          ++body->pn_count;
+         body->pn_xflags |= PNX_DESTRUCT;
      }
  #endif
      /*
       * If we collected flags that indicate nested heavyweight functions, or
-      * this function contains heavyweight-making statements (references to
+      * this function contains heavyweight-making statements (with statement,
-      * __parent__ or __proto__; use of with, or eval; and assignment to
+      * visible eval call, or assignment to 'arguments'), flag the function as
-      * arguments), flag the function as heavyweight (requiring a call object
+      * heavyweight (requiring a call object per invocation).
-      * per invocation).
       */
      if (funtc.flags & TCF_FUN_HEAVYWEIGHT) {
          fun->flags |= JSFUN_HEAVYWEIGHT;
-Line 1356
+Line 2806
      } else {
          /*
           * If this function is a named statement function not at top-level
-          * (i.e. not a top-level function definiton or expression), then
+          * (i.e. not a top-level function definiton or expression), then our
-          * our enclosing function, if any, must be heavyweight.
+          * enclosing function, if any, must be heavyweight.
-          *
-          * The TCF_FUN_USES_NONLOCALS flag is set only by the code generator,
-          * so it won't be set here.  Assert that it's not.  We have to check
-          * it later, in js_EmitTree, after js_EmitFunctionScript has traversed
-          * the function's body.
           */
-         JS_ASSERT(!(funtc.flags & TCF_FUN_USES_NONLOCALS));
+         if (!topLevel && lambda == 0 && funAtom)
-         if (lambda == 0 && funAtom && !AT_TOP_LEVEL(tc))
              tc->flags |= TCF_FUN_HEAVYWEIGHT;
      }
-Line 1374
+Line 2818
          /*
           * ECMA ed. 3 standard: function expression, possibly anonymous.
           */
-         op = funAtom ? JSOP_NAMEDFUNOBJ : JSOP_ANONFUNOBJ;
+         op = JSOP_LAMBDA;
      } else if (!funAtom) {
          /*
           * If this anonymous function definition is *not* embedded within a
-Line 1383
+Line 2827
           * Edition 3 would have it).  Backward compatibility must trump all,
           * unless JSOPTION_ANONFUNFIX is set.
           */
-         result = NewParseNode(cx, ts, PN_UNARY, tc);
+         result = NewParseNode(PN_UNARY, tc);
          if (!result)
              return NULL;
          result->pn_type = TOK_SEMI;
          result->pn_pos = pn->pn_pos;
          result->pn_kid = pn;
-         op = JSOP_ANONFUNOBJ;
+         op = JSOP_LAMBDA;
-     } else if (!AT_TOP_LEVEL(tc)) {
+     } else if (!topLevel) {
          /*
           * ECMA ed. 3 extension: a function expression statement not at the
           * top level, e.g., in a compound statement such as the "then" part
-Line 1402
+Line 2846
          op = JSOP_NOP;
      }
-     pn->pn_funpob = funpob;
+     funbox->kids = funtc.functionList;
+     pn->pn_funbox = funbox;
      pn->pn_op = op;
-     pn->pn_body = body;
+     if (pn->pn_body) {
-     pn->pn_flags = funtc.flags & (TCF_FUN_FLAGS | TCF_HAS_DEFXMLNS | TCF_COMPILE_N_GO);
+         pn->pn_body->append(body);
-     TREE_CONTEXT_FINISH(cx, &funtc);
+         pn->pn_body->pn_pos = body->pn_pos;
+     } else {
+         pn->pn_body = body;
+     }
+     pn->pn_blockid = tc->blockid();
+     if (!LeaveFunction(pn, &funtc, tc, funAtom, lambda))
+         return NULL;
      return result;
  }
-Line 1435
+Line 2890
      JS_CHECK_RECURSION(cx, return NULL);
-     pn = NewParseNode(cx, ts, PN_LIST, tc);
+     pn = NewParseNode(PN_LIST, tc);
      if (!pn)
          return NULL;
+     pn->pn_type = TOK_LC;
+     pn->makeEmpty();
+     pn->pn_blockid = tc->blockid();
      saveBlock = tc->blockNode;
      tc->blockNode = pn;
-     PN_INIT_LIST(pn);
      for (;;) {
          ts->flags |= TSF_OPERAND;
          tt = js_PeekToken(cx, ts);
          ts->flags &= ~TSF_OPERAND;
          if (tt <= TOK_EOF || tt == TOK_RC) {
-             if (tt == TOK_ERROR)
+             if (tt == TOK_ERROR) {
+                 if (ts->flags & TSF_EOF)
+                     ts->flags |= TSF_UNEXPECTED_EOF;
                  return NULL;
+             }
              break;
          }
          pn2 = Statement(cx, ts, tc);
-Line 1468
+Line 2928
               * is relevant only for function definitions not at top-level,
               * which we call function statements.
               */
-             if (AT_TOP_LEVEL(tc))
+             if (tc->atTopLevel())
-                 pn->pn_extra |= PNX_FUNCDEFS;
+                 pn->pn_xflags |= PNX_FUNCDEFS;
              else
                  tc->flags |= TCF_HAS_FUNCTION_STMT;
          }
-         PN_APPEND(pn, pn2);
+         pn->append(pn2);
      }
      /*
-Line 1540
+Line 3000
  static JSBool
  BindLet(JSContext *cx, BindData *data, JSAtom *atom, JSTreeContext *tc)
  {
+     JSParseNode *pn;
      JSObject *blockObj;
-     JSScopeProperty *sprop;
      JSAtomListElement *ale;
-     uintN n;
+     jsint n;
-     blockObj = tc->blockChain;
+     /*
-     sprop = SCOPE_GET_PROPERTY(OBJ_SCOPE(blockObj), ATOM_TO_JSID(atom));
+      * Top-level 'let' is the same as 'var' currently -- this may change in a
-     ATOM_LIST_SEARCH(ale, &tc->decls, atom);
+      * successor standard to ES3.1 that specifies 'let'.
-     if (sprop || (ale && ALE_JSOP(ale) == JSOP_DEFCONST)) {
+      */
-         const char *name;
+     JS_ASSERT(!tc->atTopLevel());
-         if (sprop) {
-             JS_ASSERT(sprop->flags & SPROP_HAS_SHORTID);
-             JS_ASSERT((uint16)sprop->shortid < OBJ_BLOCK_COUNT(cx, blockObj));
-         }
-         name = js_AtomToPrintableString(cx, atom);
+     pn = data->pn;
+     blockObj = tc->blockChain;
+     ale = tc->decls.lookup(atom);
+     if (ale && ALE_DEFN(ale)->pn_blockid == tc->blockid()) {
+         const char *name = js_AtomToPrintableString(cx, atom);
          if (name) {
-             js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+             js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
                                          JSREPORT_ERROR, JSMSG_REDECLARED_VAR,
-                                         (ale && ALE_JSOP(ale) == JSOP_DEFCONST)
+                                         (ale && ALE_DEFN(ale)->isConst())
                                          ? js_const_str
-                                         : "variable",
+                                         : js_variable_str,
                                          name);
          }
          return JS_FALSE;
-Line 1570
+Line 3029
      n = OBJ_BLOCK_COUNT(cx, blockObj);
      if (n == JS_BIT(16)) {
-         js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
-                                     JSREPORT_ERROR, data->u.let.overflow);
+                                     JSREPORT_ERROR, data->let.overflow);
          return JS_FALSE;
      }
-     /* Use JSPROP_ENUMERATE to aid the disassembler. */
+     /*
-     return js_DefineNativeProperty(cx, blockObj, ATOM_TO_JSID(atom),
+      * Pass push = true to Define so it pushes an ale ahead of any outer scope.
-                                    JSVAL_VOID, NULL, NULL,
+      * This is balanced by PopStatement, defined immediately below.
-                                    JSPROP_ENUMERATE |
+      */
-                                    JSPROP_PERMANENT |
+     if (!Define(pn, atom, tc, true))
-                                    JSPROP_SHARED,
+         return JS_FALSE;
-                                    SPROP_HAS_SHORTID, (int16) n, NULL);
+     /*
+      * Assign block-local index to pn->pn_cookie right away, encoding it as an
+      * upvar cookie whose skip tells the current static level. The emitter will
+      * adjust the node's slot based on its stack depth model -- and, for global
+      * and eval code, JSCompiler::compileScript will adjust the slot again to
+      * include script->nfixed.
+      */
+     pn->pn_op = JSOP_GETLOCAL;
+     pn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, n);
+     pn->pn_dflags |= PND_LET | PND_BOUND;
+     /*
+      * Use JSPROP_ENUMERATE to aid the disassembler. Define the let binding's
+      * property before storing pn in a reserved slot, since block_reserveSlots
+      * depends on OBJ_SCOPE(blockObj)->entryCount.
+      */
+     if (!js_DefineNativeProperty(cx, blockObj, ATOM_TO_JSID(atom), JSVAL_VOID,
+                                  NULL, NULL,
+                                  JSPROP_ENUMERATE |
+                                  JSPROP_PERMANENT |
+                                  JSPROP_SHARED,
+                                  SPROP_HAS_SHORTID, (int16) n, NULL)) {
+         return JS_FALSE;
+     }
+     /*
+      * Store pn temporarily in what would be reserved slots in a cloned block
+      * object (once the prototype's final population is known, after all 'let'
+      * bindings for this block have been parsed). We will free these reserved
+      * slots in jsemit.cpp:EmitEnterBlock.
+      */
+     uintN slot = JSSLOT_FREE(&js_BlockClass) + n;
+     if (slot >= STOBJ_NSLOTS(blockObj) &&
+         !js_ReallocSlots(cx, blockObj, slot + 1, JS_FALSE)) {
+         return JS_FALSE;
+     }
+     OBJ_SCOPE(blockObj)->freeslot = slot + 1;
+     STOBJ_SET_SLOT(blockObj, slot, PRIVATE_TO_JSVAL(pn));
+     return JS_TRUE;
+ }
+ static void
+ PopStatement(JSTreeContext *tc)
+ {
+     JSStmtInfo *stmt = tc->topStmt;
+     if (stmt->flags & SIF_SCOPE) {
+         JSObject *obj = stmt->blockObj;
+         JSScope *scope = OBJ_SCOPE(obj);
+         JS_ASSERT(scope->object == obj);
+         for (JSScopeProperty *sprop = scope->lastProp; sprop; sprop = sprop->parent) {
+             JSAtom *atom = JSID_TO_ATOM(sprop->id);
+             /* Beware the empty destructuring dummy. */
+             if (atom == tc->compiler->context->runtime->atomState.emptyAtom)
+                 continue;
+             tc->decls.remove(tc->compiler, atom);
+         }
+     }
+     js_PopStatement(tc);
+ }
+ static inline bool
+ OuterLet(JSTreeContext *tc, JSStmtInfo *stmt, JSAtom *atom)
+ {
+     while (stmt->downScope) {
+         stmt = js_LexicalLookup(tc, atom, NULL, stmt->downScope);
+         if (!stmt)
+             return false;
+         if (stmt->type == STMT_BLOCK)
+             return true;
+     }
+     return false;
  }
  static JSBool
  BindVarOrConst(JSContext *cx, BindData *data, JSAtom *atom, JSTreeContext *tc)
  {
-     JSStmtInfo *stmt;
+     JSStmtInfo *stmt = js_LexicalLookup(tc, atom, NULL);
-     JSAtomListElement *ale;
+     JSParseNode *pn = data->pn;
-     JSOp op, prevop;
-     const char *name;
+     if (stmt && stmt->type == STMT_WITH) {
-     JSLocalKind localKind;
+         pn->pn_op = JSOP_NAME;
+         data->fresh = false;
+         return JS_TRUE;
+     }
-     stmt = js_LexicalLookup(tc, atom, NULL);
+     JSAtomListElement *ale = tc->decls.lookup(atom);
-     ATOM_LIST_SEARCH(ale, &tc->decls, atom);
+     JSOp op = data->op;
-     op = data->op;
-     if ((stmt && stmt->type != STMT_WITH) || ale) {
+     if (stmt || ale) {
-         prevop = ale ? ALE_JSOP(ale) : JSOP_DEFVAR;
+         JSDefinition *dn = ale ? ALE_DEFN(ale) : NULL;
-         if (JS_HAS_STRICT_OPTION(cx)
+         JSDefinition::Kind dn_kind = dn ? dn->kind() : JSDefinition::VAR;
-             ? op != JSOP_DEFVAR || prevop != JSOP_DEFVAR
+         const char *name;
-             : op == JSOP_DEFCONST || prevop == JSOP_DEFCONST) {
+         if (dn_kind == JSDefinition::ARG) {
              name = js_AtomToPrintableString(cx, atom);
-             if (!name ||
+             if (!name)
-                 !js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+                 return JS_FALSE;
-                                              (op != JSOP_DEFCONST &&
-                                               prevop != JSOP_DEFCONST)
+             if (op == JSOP_DEFCONST) {
-                                              ? JSREPORT_WARNING |
+                 js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
-                                                JSREPORT_STRICT
+                                             JSREPORT_ERROR, JSMSG_REDECLARED_PARAM,
-                                              : JSREPORT_ERROR,
+                                             name);
-                                              JSMSG_REDECLARED_VAR,
-                                              (prevop == JSOP_DEFFUN)
-                                              ? js_function_str
-                                              : (prevop == JSOP_DEFCONST)
-                                              ? js_const_str
-                                              : js_var_str,
-                                              name)) {
                  return JS_FALSE;
              }
+             if (!js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
+                                              JSREPORT_WARNING | JSREPORT_STRICT,
+                                              JSMSG_VAR_HIDES_ARG, name)) {
+                 return JS_FALSE;
+             }
+         } else {
+             bool error = (op == JSOP_DEFCONST ||
+                           dn_kind == JSDefinition::CONST ||
+                           (dn_kind == JSDefinition::LET &&
+                            (stmt->type != STMT_CATCH || OuterLet(tc, stmt, atom))));
+             if (JS_HAS_STRICT_OPTION(cx)
+                 ? op != JSOP_DEFVAR || dn_kind != JSDefinition::VAR
+                 : error) {
+                 name = js_AtomToPrintableString(cx, atom);
+                 if (!name ||
+                     !js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
+                                                  !error
+                                                  ? JSREPORT_WARNING | JSREPORT_STRICT
+                                                  : JSREPORT_ERROR,
+                                                  JSMSG_REDECLARED_VAR,
+                                                  JSDefinition::kindString(dn_kind),
+                                                  name)) {
+                     return JS_FALSE;
+                 }
+             }
          }
-         if (op == JSOP_DEFVAR && prevop == JSOP_DEFFUN)
-             tc->flags |= TCF_FUN_CLOSURE_VS_VAR;
      }
      if (!ale) {
-         ale = js_IndexAtom(cx, atom, &tc->decls);
+         if (!Define(pn, atom, tc))
+             return JS_FALSE;
+     } else {
+         /*
+          * A var declaration never recreates an existing binding, it restates
+          * it and possibly reinitializes its value. Beware that if pn becomes a
+          * use of ALE_DEFN(ale), and if we have an initializer for this var or
+          * const (typically a const would ;-), then pn must be rewritten into a
+          * TOK_ASSIGN node. See Variables, further below.
+          *
+          * A case such as let (x = 1) { var x = 2; print(x); } is even harder.
+          * There the x definition is hoisted but the x = 2 assignment mutates
+          * the block-local binding of x.
+          */
+         JSDefinition *dn = ALE_DEFN(ale);
+         data->fresh = false;
+         if (!pn->pn_used) {
+             /* Make pnu be a fresh name node that uses dn. */
+             JSParseNode *pnu = pn;
+             if (pn->pn_defn) {
+                 pnu = NewNameNode(cx, TS(tc->compiler), atom, tc);
+                 if (!pnu)
+                     return JS_FALSE;
+             }
+             LinkUseToDef(pnu, dn, tc);
+             pnu->pn_op = JSOP_NAME;
+         }
+         while (dn->kind() == JSDefinition::LET) {
+             do {
+                 ale = ALE_NEXT(ale);
+             } while (ale && ALE_ATOM(ale) != atom);
+             if (!ale)
+                 break;
+             dn = ALE_DEFN(ale);
+         }
+         if (ale) {
+             JS_ASSERT_IF(data->op == JSOP_DEFCONST,
+                          dn->kind() == JSDefinition::CONST);
+             return JS_TRUE;
+         }
+         /*
+          * A var or const that is shadowed by one or more let bindings of the
+          * same name, but that has not been declared until this point, must be
+          * hoisted above the let bindings.
+          */
+         if (!pn->pn_defn) {
+             JSHashEntry **hep;
+             ale = tc->lexdeps.rawLookup(atom, hep);
+             if (ale) {
+                 pn = ALE_DEFN(ale);
+                 tc->lexdeps.rawRemove(tc->compiler, ale, hep);
+             } else {
+                 JSParseNode *pn2 = NewNameNode(cx, TS(tc->compiler), atom, tc);
+                 if (!pn2)
+                     return JS_FALSE;
+                 /* The token stream may be past the location for pn. */
+                 pn2->pn_type = TOK_NAME;
+                 pn2->pn_pos = pn->pn_pos;
+                 pn = pn2;
+             }
+             pn->pn_op = JSOP_NAME;
+         }
+         ale = tc->decls.add(tc->compiler, atom, JSAtomList::HOIST);
          if (!ale)
              return JS_FALSE;
+         ALE_SET_DEFN(ale, pn);
+         pn->pn_defn = true;
+         pn->pn_dflags &= ~PND_PLACEHOLDER;
      }
-     ALE_SET_JSOP(ale, op);
+     if (data->op == JSOP_DEFCONST)
+         pn->pn_dflags |= PND_CONST;
      if (!(tc->flags & TCF_IN_FUNCTION)) {
          /*
-          * Don't lookup global variables or variables in an active frame at
+          * If we are generating global or eval-called-from-global code, bind a
-          * compile time.
+          * "gvar" here, as soon as possible. The JSOP_GETGVAR, etc., ops speed
+          * up global variable access by memoizing name-to-slot mappings in the
+          * script prolog (via JSOP_DEFVAR/JSOP_DEFCONST). If the memoization
+          * can't be done due to a pre-existing property of the same name as the
+          * var or const but incompatible attributes/getter/setter/etc, these
+          * ops devolve to JSOP_NAME, etc.
+          *
+          * For now, don't try to lookup eval frame variables at compile time.
+          * Seems sub-optimal: why couldn't we find eval-called-from-a-function
+          * upvars early and possibly simplify jsemit.cpp:BindNameToSlot?
           */
+         pn->pn_op = JSOP_NAME;
+         if ((tc->flags & TCF_COMPILING) && !tc->compiler->callerFrame) {
+             JSCodeGenerator *cg = (JSCodeGenerator *) tc;
+             /* Index atom so we can map fast global number to name. */
+             ale = cg->atomList.add(tc->compiler, atom);
+             if (!ale)
+                 return JS_FALSE;
+             /* Defend against cg->ngvars 16-bit overflow. */
+             uintN slot = ALE_INDEX(ale);
+             if ((slot + 1) >> 16)
+                 return JS_TRUE;
+             if ((uint16)(slot + 1) > cg->ngvars)
+                 cg->ngvars = (uint16)(slot + 1);
+             pn->pn_op = JSOP_GETGVAR;
+             pn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, slot);
+             pn->pn_dflags |= PND_BOUND | PND_GVAR;
+         }
+         return JS_TRUE;
+     }
+     if (atom == cx->runtime->atomState.argumentsAtom) {
+         pn->pn_op = JSOP_ARGUMENTS;
+         pn->pn_dflags |= PND_BOUND;
          return JS_TRUE;
      }
-     localKind = js_LookupLocal(cx, tc->u.fun, atom, NULL);
+     JSLocalKind localKind = js_LookupLocal(cx, tc->fun, atom, NULL);
      if (localKind == JSLOCAL_NONE) {
          /*
           * Property not found in current variable scope: we have not seen this
-          * variable before.  Define a new local variable by adding a property
+          * variable before. Define a new local variable by adding a property to
-          * to the function's scope, allocating one slot in the function's vars
+          * the function's scope and allocating one slot in the function's vars
-          * frame. Any locals declared in with statement bodies are handled at
+          * frame. Any locals declared in a with statement body are handled at
-          * runtime, by script prolog JSOP_DEFVAR opcodes generated for
+          * runtime, by script prolog JSOP_DEFVAR opcodes generated for global
-          * slot-less vars.
+          * and heavyweight-function-local vars.
           */
          localKind = (data->op == JSOP_DEFCONST) ? JSLOCAL_CONST : JSLOCAL_VAR;
-         if (!js_InWithStatement(tc) &&
-             !BindLocalVariable(cx, tc->u.fun, atom, localKind)) {
-             return JS_FALSE;
-         }
-     } else if (localKind == JSLOCAL_ARG) {
-         name = js_AtomToPrintableString(cx, atom);
-         if (!name)
-             return JS_FALSE;
-         if (op == JSOP_DEFCONST) {
+         uintN index = tc->fun->u.i.nvars;
-             js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+         if (!BindLocalVariable(cx, tc->fun, atom, localKind))
-                                         JSREPORT_ERROR, JSMSG_REDECLARED_PARAM,
-                                         name);
              return JS_FALSE;
-         }
+         pn->pn_op = JSOP_GETLOCAL;
-         if (!js_ReportCompileErrorNumber(cx, TS(tc->parseContext), data->pn,
+         pn->pn_cookie = MAKE_UPVAR_COOKIE(tc->staticLevel, index);
-                                          JSREPORT_WARNING | JSREPORT_STRICT,
+         pn->pn_dflags |= PND_BOUND;
-                                          JSMSG_VAR_HIDES_ARG, name)) {
+         return JS_TRUE;
-             return JS_FALSE;
+     }
-         }
+     if (localKind == JSLOCAL_ARG) {
+         /* We checked errors and strict warnings earlier -- see above. */
+         JS_ASSERT(ale && ALE_DEFN(ale)->kind() == JSDefinition::ARG);
      } else {
          /* Not an argument, must be a redeclared local var. */
          JS_ASSERT(localKind == JSLOCAL_VAR || localKind == JSLOCAL_CONST);
      }
+     pn->pn_op = JSOP_NAME;
      return JS_TRUE;
  }
-Line 1683
+Line 3345
      JS_ASSERT(pn->pn_arity == PN_LIST);
      JS_ASSERT(pn->pn_op == JSOP_CALL || pn->pn_op == JSOP_EVAL || pn->pn_op == JSOP_APPLY);
      pn2 = pn->pn_head;
-     if (pn2->pn_type == TOK_FUNCTION && (pn2->pn_flags & TCF_GENEXP_LAMBDA)) {
+     if (pn2->pn_type == TOK_FUNCTION && (pn2->pn_funbox->tcflags & TCF_GENEXP_LAMBDA)) {
-         js_ReportCompileErrorNumber(cx, TS(tc->parseContext), pn,
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn, JSREPORT_ERROR, msg);
-                                     JSREPORT_ERROR, msg);
          return JS_FALSE;
      }
      pn->pn_op = JSOP_SETCALL;
      return JS_TRUE;
  }
+ static void
+ NoteLValue(JSContext *cx, JSParseNode *pn, JSTreeContext *tc, uintN dflag = PND_ASSIGNED)
+ {
+     if (pn->pn_used) {
+         JSDefinition *dn = pn->pn_lexdef;
+         /*
+          * Save the win of PND_INITIALIZED if we can prove 'var x;' and 'x = y'
+          * occur as direct kids of the same block with no forward refs to x.
+          */
+         if (!(dn->pn_dflags & (PND_INITIALIZED | PND_CONST | PND_PLACEHOLDER)) &&
+             dn->isBlockChild() &&
+             pn->isBlockChild() &&
+             dn->pn_blockid == pn->pn_blockid &&
+             dn->pn_pos.end <= pn->pn_pos.begin &&
+             dn->dn_uses == pn) {
+             dflag = PND_INITIALIZED;
+         }
+         dn->pn_dflags |= dflag;
+         if (dn->frameLevel() != tc->staticLevel) {
+             /*
+              * The above condition takes advantage of the all-ones nature of
+              * FREE_UPVAR_COOKIE, and the reserved level FREE_STATIC_LEVEL.
+              * We make a stronger assertion by excluding FREE_UPVAR_COOKIE.
+              */
+             JS_ASSERT_IF(dn->pn_cookie != FREE_UPVAR_COOKIE,
+                          dn->frameLevel() < tc->staticLevel);
+             tc->flags |= TCF_FUN_SETS_OUTER_NAME;
+         }
+     }
+     pn->pn_dflags |= dflag;
+     if (pn->pn_atom == cx->runtime->atomState.argumentsAtom)
+         tc->flags |= TCF_FUN_HEAVYWEIGHT;
+ }
  #if JS_HAS_DESTRUCTURING
  static JSBool
-Line 1713
+Line 3413
      data->pn = pn;
      if (!data->binder(cx, data, atom, tc))
          return JS_FALSE;
-     data->pn = NULL;
      /*
-      * Select the appropriate name-setting opcode, which may be specialized
+      * Select the appropriate name-setting opcode, respecting eager selection
-      * further for local variable and argument slot optimizations.  At this
+      * done by the data->binder function.
-      * point, we can't select the optimal final opcode, yet we must preserve
-      * the CONST bit and convey "set", not "get".
       */
-     if (data->op == JSOP_DEFCONST) {
+     if (pn->pn_dflags & PND_BOUND) {
-         pn->pn_op = JSOP_SETCONST;
+         pn->pn_op = (pn->pn_op == JSOP_ARGUMENTS)
-         pn->pn_const = JS_TRUE;
+                     ? JSOP_SETNAME
+                     : (pn->pn_dflags & PND_GVAR)
+                     ? JSOP_SETGVAR
+                     : JSOP_SETLOCAL;
      } else {
-         pn->pn_op = JSOP_SETNAME;
+         pn->pn_op = (data->op == JSOP_DEFCONST)
-         pn->pn_const = JS_FALSE;
+                     ? JSOP_SETCONST
+                     : JSOP_SETNAME;
      }
+     if (data->op == JSOP_DEFCONST)
+         pn->pn_dflags |= PND_CONST;
+     NoteLValue(cx, pn, tc, PND_INITIALIZED);
      return JS_TRUE;
  }
-Line 1757
+Line 3463
      switch (pn->pn_type) {
        case TOK_NAME:
-         if (pn->pn_atom == cx->runtime->atomState.argumentsAtom)
+         NoteLValue(cx, pn, tc);
-             tc->flags |= TCF_FUN_HEAVYWEIGHT;
          /* FALL THROUGH */
        case TOK_DOT:
        case TOK_LB:
          pn->pn_op = JSOP_SETNAME;
-Line 1782
+Line 3488
  #endif
        default:
-         js_ReportCompileErrorNumber(cx, TS(tc->parseContext), pn,
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn,
                                      JSREPORT_ERROR, JSMSG_BAD_LEFTSIDE_OF_ASS);
          return JS_FALSE;
      }
-Line 1803
+Line 3509
  } FindPropValEntry;
  #define ASSERT_VALID_PROPERTY_KEY(pnkey)                                      \
-     JS_ASSERT((pnkey)->pn_arity == PN_NULLARY &&                              \
+     JS_ASSERT(((pnkey)->pn_arity == PN_NULLARY &&                             \
-               ((pnkey)->pn_type == TOK_NUMBER ||                              \
+                ((pnkey)->pn_type == TOK_NUMBER ||                             \
-                (pnkey)->pn_type == TOK_STRING ||                              \
+                 (pnkey)->pn_type == TOK_STRING ||                             \
-                (pnkey)->pn_type == TOK_NAME))
+                 (pnkey)->pn_type == TOK_NAME)) ||                             \
+                (pnkey)->pn_arity == PN_NAME && (pnkey)->pn_type == TOK_NAME)
  static JSDHashNumber
  HashFindPropValKey(JSDHashTable *table, const void *key)
-Line 1876
+Line 3583
      step = 0;
      ASSERT_VALID_PROPERTY_KEY(pnid);
      pnhead = pn->pn_head;
-     if (pnhead && pnhead->pn_type == TOK_DEFSHARP)
-         pnhead = pnhead->pn_next;
      if (pnid->pn_type == TOK_NUMBER) {
          for (pnprop = pnhead; pnprop; pnprop = pnprop->pn_next) {
              JS_ASSERT(pnprop->pn_type == TOK_COLON);
-Line 1936
+Line 3641
   * If data is null, the caller is AssignExpr and instead of binding variables,
   * we specialize lvalues in the propery value positions of the left-hand side.
   * If right is null, just check for well-formed lvalues.
+  *
+  * See also UndominateInitializers, immediately below. If you change either of
+  * these functions, you might have to change the other to match.
   */
  static JSBool
  CheckDestructuring(JSContext *cx, BindData *data,
-Line 1947
+Line 3655
      JSParseNode *lhs, *rhs, *pn, *pn2;
      if (left->pn_type == TOK_ARRAYCOMP) {
-         js_ReportCompileErrorNumber(cx, TS(tc->parseContext), left,
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), left,
                                      JSREPORT_ERROR, JSMSG_ARRAY_COMP_LEFTSIDE);
          return JS_FALSE;
      }
  #if JS_HAS_DESTRUCTURING_SHORTHAND
-     if (right && right->pn_arity == PN_LIST && (right->pn_extra & PNX_SHORTHAND)) {
+     if (right && right->pn_arity == PN_LIST && (right->pn_xflags & PNX_DESTRUCT)) {
-         js_ReportCompileErrorNumber(cx, TS(tc->parseContext), right,
+         js_ReportCompileErrorNumber(cx, TS(tc->compiler), right,
                                      JSREPORT_ERROR, JSMSG_BAD_OBJECT_INIT);
          return JS_FALSE;
      }
-Line 1962
+Line 3670
      fpvd.table.ops = NULL;
      lhs = left->pn_head;
-     if (lhs && lhs->pn_type == TOK_DEFSHARP) {
-         pn = lhs;
-         goto no_var_name;
-     }
      if (left->pn_type == TOK_RB) {
          rhs = (right && right->pn_type == left->pn_type)
                ? right->pn_head
-Line 2067
+Line 3770
      if (data &&
          data->binder == BindLet &&
          OBJ_BLOCK_COUNT(cx, tc->blockChain) == 0) {
-         ok = js_DefineNativeProperty(cx, tc->blockChain,
+         ok = !!js_DefineNativeProperty(cx, tc->blockChain,
-                                      ATOM_TO_JSID(cx->runtime->
+                                        ATOM_TO_JSID(cx->runtime->
-                                                   atomState.emptyAtom),
+                                                     atomState.emptyAtom),
-                                      JSVAL_VOID, NULL, NULL,
+                                        JSVAL_VOID, NULL, NULL,
-                                      JSPROP_ENUMERATE |
+                                        JSPROP_ENUMERATE |
-                                      JSPROP_PERMANENT |
+                                        JSPROP_PERMANENT |
-                                      JSPROP_SHARED,
+                                        JSPROP_SHARED,
-                                      SPROP_HAS_SHORTID, 0, NULL);
+                                        SPROP_HAS_SHORTID, 0, NULL);
          if (!ok)
              goto out;
      }
-Line 2087
+Line 3790
      return ok;
    no_var_name:
-     js_ReportCompileErrorNumber(cx, TS(tc->parseContext), pn, JSREPORT_ERROR,
+     js_ReportCompileErrorNumber(cx, TS(tc->compiler), pn, JSREPORT_ERROR,
                                  JSMSG_NO_VARIABLE_NAME);
      ok = JS_FALSE;
      goto out;
  }
+ /*
+  * This is a greatly pared down version of CheckDestructuring that extends the
+  * pn_pos.end source coordinate of each name in a destructuring binding such as
+  *
+  *   var [x, y] = [function () y, 42];
+  *
+  * to cover its corresponding initializer, so that the initialized binding does
+  * not appear to dominate any closures in its initializer. See bug 496134.
+  *
+  * The quick-and-dirty dominance computation in JSCompiler::setFunctionKinds is
+  * not very precise. With one-pass SSA construction from structured source code
+  * (see "Single-Pass Generation of Static Single Assignment Form for Structured
+  * Languages", Brandis and Mössenböck), we could do much better.
+  *
+  * See CheckDestructuring, immediately above. If you change either of these
+  * functions, you might have to change the other to match.
+  */
+ static JSBool
+ UndominateInitializers(JSParseNode *left, JSParseNode *right, JSTreeContext *tc)
+ {
+     FindPropValData fpvd;
+     JSParseNode *lhs, *rhs;
+     JS_ASSERT(left->pn_type != TOK_ARRAYCOMP);
+     JS_ASSERT(right);
+ #if JS_HAS_DESTRUCTURING_SHORTHAND
+     if (right->pn_arity == PN_LIST && (right->pn_xflags & PNX_DESTRUCT)) {
+         js_ReportCompileErrorNumber(tc->compiler->context, TS(tc->compiler), right,
+                                     JSREPORT_ERROR, JSMSG_BAD_OBJECT_INIT);
+         return JS_FALSE;
+     }
+ #endif
+     if (right->pn_type != left->pn_type)
+         return JS_TRUE;
+     fpvd.table.ops = NULL;
+     lhs = left->pn_head;
+     if (left->pn_type == TOK_RB) {
+         rhs = right->pn_head;
+         while (lhs && rhs) {
+             /* Nullary comma is an elision; binary comma is an expression.*/
+             if (lhs->pn_type != TOK_COMMA || lhs->pn_arity != PN_NULLARY) {
+                 if (lhs->pn_type == TOK_RB || lhs->pn_type == TOK_RC) {
+                     if (!UndominateInitializers(lhs, rhs, tc))
+                         return JS_FALSE;
+                 } else {
+                     lhs->pn_pos.end = rhs->pn_pos.end;
+                 }
+             }
+             lhs = lhs->pn_next;
+             rhs = rhs->pn_next;
+         }
+     } else {
+         JS_ASSERT(left->pn_type == TOK_RC);
+         fpvd.numvars = left->pn_count;
+         fpvd.maxstep = 0;
+         while (lhs) {
+             JS_ASSERT(lhs->pn_type == TOK_COLON);
+             JSParseNode *pn = lhs->pn_right;
+             rhs = FindPropertyValue(right, lhs->pn_left, &fpvd);
+             if (pn->pn_type == TOK_RB || pn->pn_type == TOK_RC) {
+                 if (rhs && !UndominateInitializers(pn, rhs, tc))
+                     return JS_FALSE;
+             } else {
+                 if (rhs)
+                     pn->pn_pos.end = rhs->pn_pos.end;
+             }
+             lhs = lhs->pn_next;
+         }
+     }
+     return JS_TRUE;
+ }
  static JSParseNode *
  DestructuringExpr(JSContext *cx, BindData *data, JSTreeContext *tc,
                    JSTokenType tt)
  {
+     JSTokenStream *ts;
      JSParseNode *pn;
-     pn = PrimaryExpr(cx, TS(tc->parseContext), tc, tt, JS_FALSE);
+     ts = TS(tc->compiler);
+     ts->flags |= TSF_DESTRUCTURING;
+     pn = PrimaryExpr(cx, ts, tc, tt, JS_FALSE);
+     ts->flags &= ~TSF_DESTRUCTURING;
      if (!pn)
          return NULL;
      if (!CheckDestructuring(cx, data, pn, NULL, tc))
-Line 2107
+Line 3894
      return pn;
  }
- // Currently used only #if JS_HAS_DESTRUCTURING, in Statement's TOK_FOR case.
+ /*
+  * Currently used only #if JS_HAS_DESTRUCTURING, in Statement's TOK_FOR case.
+  * This function assumes the cloned tree is for use in the same statement and
+  * binding context as the original tree.
+  */
  static JSParseNode *
- CloneParseTree(JSContext *cx, JSParseNode *opn, JSTreeContext *tc)
+ CloneParseTree(JSParseNode *opn, JSTreeContext *tc)
  {
      JSParseNode *pn, *pn2, *opn2;