From 4de969cebe8288a96b77e319f4fce113c979b5d7 Mon Sep 17 00:00:00 2001 From: mstarzinger Date: Tue, 20 Oct 2015 03:37:26 -0700 Subject: [PATCH] [turbofan] Fix invalid lowering of let variable in TDZ. This fixes JSNativeContextSpecialization to not lower JSLoadGlobal and JSStoreGlobal nodes if the global variable has morphed into a context variable that is currently within a TDZ. Scary variable binding is being scary! R=bmeurer@chromium.org TEST=cctest/test-decls/Regress3941 --turbo-filter="f" BUG=v8:4470 LOG=n Review URL: https://codereview.chromium.org/1415733003 Cr-Commit-Position: refs/heads/master@{#31405} --- src/compiler/js-native-context-specialization.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc index f7312b3153..3fb7c3d5df 100644 --- a/src/compiler/js-native-context-specialization.cc +++ b/src/compiler/js-native-context-specialization.cc @@ -62,6 +62,7 @@ Reduction JSNativeContextSpecialization::ReduceJSLoadGlobal(Node* node) { // Try to lookup the name on the script context table first (lexical scoping). ScriptContextTableLookupResult result; if (LookupInScriptContextTable(name, &result)) { + if (result.context->is_the_hole(result.index)) return NoChange(); Node* context = jsgraph()->Constant(result.context); Node* value = effect = graph()->NewNode( javascript()->LoadContext(0, result.index, result.immutable), context, @@ -143,6 +144,7 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreGlobal(Node* node) { // Try to lookup the name on the script context table first (lexical scoping). ScriptContextTableLookupResult result; if (LookupInScriptContextTable(name, &result)) { + if (result.context->is_the_hole(result.index)) return NoChange(); if (result.immutable) return NoChange(); Node* context = jsgraph()->Constant(result.context); effect = graph()->NewNode(javascript()->StoreContext(0, result.index), @@ -670,7 +672,6 @@ bool JSNativeContextSpecialization::LookupInScriptContextTable( } Handle script_context = ScriptContextTable::GetContext( script_context_table, lookup_result.context_index); - if (script_context->is_the_hole(lookup_result.slot_index)) return false; result->context = script_context; result->immutable = IsImmutableVariableMode(lookup_result.mode); result->index = lookup_result.slot_index;