Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a

# HG changeset patch
# User Shu-yu Guo <shu@rfrn.org>
# Date 1459741387 -7200
# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
# Parent  9d4364f6b55c6ee65c13c491292c3abe1ee2c993
Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu

diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
@@ -0,0 +1,6 @@
+// |jit-test| slow;
+
+var s = '';
+for (var i = 0; i < 70000; i++)
+    s += 'function x' + i + '() { x' + i + '(); }\n';
+eval("(function() { " + s + " })();");
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
     // JITs when interpreting/compiling aliasedvar ops.)
 
     // Since unaliased variables are, by definition, only accessed by local
     // operations and never through the scope chain, only give shapes to
     // aliased variables. While the debugger may observe any scope object at
     // any time, such accesses are mediated by DebugScopeProxy (see
     // DebugScopeProxy::handleUnaliasedAccess).
     uint32_t nslots = CallObject::RESERVED_SLOTS;
-    uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
+
+    // Unless there are aliased body-level lexical bindings at all, set the
+    // begin index to an impossible slot number.
+    uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
     for (BindingIter bi(self); bi; bi++) {
         if (bi->aliased()) {
             // Per ES6, lexical bindings cannot be accessed until
             // initialized. Remember the first aliased slot that is a
             // body-level lexical, so that they may be initialized to sentinel
             // magic values.
             if (numBodyLevelLexicals > 0 &&
                 nslots < aliasedBodyLevelLexicalBegin &&
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -201,18 +201,18 @@ class Bindings
     friend class BindingIter;
     friend class AliasedFormalIter;
 
     RelocatablePtrShape callObjShape_;
     uintptr_t bindingArrayAndFlag_;
     uint16_t numArgs_;
     uint16_t numBlockScoped_;
     uint16_t numBodyLevelLexicals_;
-    uint16_t aliasedBodyLevelLexicalBegin_;
     uint16_t numUnaliasedBodyLevelLexicals_;
+    uint32_t aliasedBodyLevelLexicalBegin_;
     uint32_t numVars_;
     uint32_t numUnaliasedVars_;
 
 #if JS_BITS_PER_WORD == 32
     // Bindings is allocated inline inside JSScript, which needs to be
     // gc::Cell aligned.
     uint32_t padding_;
 #endif