From d984311efe89f169289d5b5c09690d8acc2b071a Mon Sep 17 00:00:00 2001
From: Luke Wagner <lw@mozilla.com>
Date: Wed, 16 Jun 2010 23:14:02 -0700
Subject: [PATCH] Bug 572625 - create call object only after new frame is
 pushed (r=dvander)

---
 js/src/jsops.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/js/src/jsops.cpp b/js/src/jsops.cpp
index db5ea189f37..ba693d591e1 100644
--- a/js/src/jsops.cpp
+++ b/js/src/jsops.cpp
@@ -2076,10 +2076,6 @@ BEGIN_CASE(JSOP_APPLY)
             for (jsval *v = newfp->slots(); v != newsp; ++v)
                 *v = JSVAL_VOID;
 
-            /* Scope with a call object parented by callee's parent. */
-            if (fun->isHeavyweight() && !js_GetCallObject(cx, newfp))
-                goto error;
-
             /* Switch version if currentVersion wasn't overridden. */
             newfp->callerVersion = (JSVersion) cx->version;
             if (JS_LIKELY(cx->version == currentVersion)) {
@@ -2101,6 +2097,10 @@ BEGIN_CASE(JSOP_APPLY)
             script = newscript;
             atoms = script->atomMap.vector;
 
+            /* Now that the new frame is rooted, maybe create a call object. */
+            if (fun->isHeavyweight() && !js_GetCallObject(cx, fp))
+                goto error;
+
             /* Call the debugger hook if present. */
             if (JSInterpreterHook hook = cx->debugHooks->callHook) {
                 fp->hookData = hook(cx, fp, JS_TRUE, 0,