So, I just noticed old v8's didn't follow the new Function specs and decided to review my Higgs' patch, and discovered you can break it with:

new Function("/{{/; }; x = 'evil'; /}/; function(){"); 

This should create a global x variable because the code counts the brackets inside regexps for balancing. Well, it should do that, but I just get an endless stream of GC instead:

$ ./higgs
Entering read-eval-print loop
To exit, press Ctrl+D (end-of-file) or type "exit" at the prompt
h> new Function("/{{/}; var x = 1; /}/; function(){")()
entering gcCollect
leaving gcCollect
entering gcCollect
leaving gcCollect
entering gcCollect
leaving gcCollect
entering gcCollect
leaving gcCollect
entering gcCollect
leaving gcCollect
^C

Anyway, fixing this is not quite trivial with the counting-brackets approach because / might be either a division operator or the start of a regexp inside an expression, depending on whether there's another slash on the same expression/line. I should have a patch for this by the weekend.