[parser] Reset expression_scope_ stack to nullptr when parsing a function body

That way we can properly walk the active ambiguous stack of expressions and stop where it's non-ambiguous. In the bug we would have forced context allocation of "this" in an outer function because an inner function was parsed as part of an arrow function head and "this" was referenced. That caused the ambiguous arrow head scope to be marked, even though the reference came from a non-ambiguous function. Bug: chromium:930580 Change-Id: I0bf0fa569e2d2ca1dc26b0514fe5bdb48ab7ae6f Reviewed-on: https://chromium-review.googlesource.com/c/1462005 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#59488}
2019-02-11 09:45:51 +01:00 · 2019-02-11 09:45:51 +01:00 · 486ec80a7d
commit 486ec80a7d
parent 462a01505c
2 changed files with 11 additions and 0 deletions
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@ -3808,6 +3808,8 @@ void ParserBase<Impl>::ParseFunctionBody(
    StatementListT* body, IdentifierT function_name, int pos,
    const FormalParametersT& parameters, FunctionKind kind,
    FunctionLiteral::FunctionType function_type, FunctionBodyType body_type) {
+  FunctionBodyParsingScope body_parsing_scope(impl());
+
  if (IsResumableFunction(kind)) impl()->PrepareGeneratorVariables();

  DeclarationScope* function_scope = parameters.scope;
--- a/test/mjsunit/regress/regress-crbug-930580.js
+++ b/test/mjsunit/regress/regress-crbug-930580.js
@ -0,0 +1,9 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function outer() {
+  (arg = (function inner() {
+    return this
+  })()) => 0;
+})();