[parser] Prevent lazy parsing of arrow functions

Change Parser::AllowsLazyParsingWithoutUnresolvedVariables to return false if it may be parsing an arrow function. Bug: v8:9758, v8:8510 Change-Id: Ic5d213d4358ff954a169c03e449197c3f050880c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1816510 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#63920}
2019-09-20 15:19:07 +01:00 · 2019-09-20 15:19:07 +01:00 · 4921821b2f
commit 4921821b2f
parent 8d7c581a2a
2 changed files with 12 additions and 2 deletions
--- a/src/parsing/parser.h
+++ b/src/parsing/parser.h
@ -172,8 +172,9 @@ class V8_EXPORT_PRIVATE Parser : public NON_EXPORTED_BASE(ParserBase<Parser>) {
      parsing::ReportErrorsAndStatisticsMode stats_mode);

  bool AllowsLazyParsingWithoutUnresolvedVariables() const {
-    return scope()->AllowsLazyParsingWithoutUnresolvedVariables(
-        original_scope_);
+    return !MaybeParsingArrowhead() &&
+           scope()->AllowsLazyParsingWithoutUnresolvedVariables(
+               original_scope_);
  }

  bool parse_lazily() const { return mode_ == PARSE_LAZILY; }
--- a/test/mjsunit/regress/regress-v8-9758.js
+++ b/test/mjsunit/regress/regress-v8-9758.js
@ -0,0 +1,9 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --throws
+
+// Can't put this in a try-catch as that changes the parsing so the crash
+// doesn't reproduce.
+((a = ((b = a) => {})()) => 1)();