[turbofan] Fix invalid lowering of let variable in TDZ.

This fixes JSNativeContextSpecialization to not lower JSLoadGlobal and
JSStoreGlobal nodes if the global variable has morphed into a context
variable that is currently within a TDZ. Scary variable binding is being
scary!

R=bmeurer@chromium.org
TEST=cctest/test-decls/Regress3941 --turbo-filter="f"
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1415733003

Cr-Commit-Position: refs/heads/master@{#31405}
This commit is contained in:
mstarzinger 2015-10-20 03:37:26 -07:00 committed by Commit bot
parent e41614a058
commit 4de969cebe

View File

@ -62,6 +62,7 @@ Reduction JSNativeContextSpecialization::ReduceJSLoadGlobal(Node* node) {
// Try to lookup the name on the script context table first (lexical scoping). // Try to lookup the name on the script context table first (lexical scoping).
ScriptContextTableLookupResult result; ScriptContextTableLookupResult result;
if (LookupInScriptContextTable(name, &result)) { if (LookupInScriptContextTable(name, &result)) {
if (result.context->is_the_hole(result.index)) return NoChange();
Node* context = jsgraph()->Constant(result.context); Node* context = jsgraph()->Constant(result.context);
Node* value = effect = graph()->NewNode( Node* value = effect = graph()->NewNode(
javascript()->LoadContext(0, result.index, result.immutable), context, javascript()->LoadContext(0, result.index, result.immutable), context,
@ -143,6 +144,7 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreGlobal(Node* node) {
// Try to lookup the name on the script context table first (lexical scoping). // Try to lookup the name on the script context table first (lexical scoping).
ScriptContextTableLookupResult result; ScriptContextTableLookupResult result;
if (LookupInScriptContextTable(name, &result)) { if (LookupInScriptContextTable(name, &result)) {
if (result.context->is_the_hole(result.index)) return NoChange();
if (result.immutable) return NoChange(); if (result.immutable) return NoChange();
Node* context = jsgraph()->Constant(result.context); Node* context = jsgraph()->Constant(result.context);
effect = graph()->NewNode(javascript()->StoreContext(0, result.index), effect = graph()->NewNode(javascript()->StoreContext(0, result.index),
@ -670,7 +672,6 @@ bool JSNativeContextSpecialization::LookupInScriptContextTable(
} }
Handle<Context> script_context = ScriptContextTable::GetContext( Handle<Context> script_context = ScriptContextTable::GetContext(
script_context_table, lookup_result.context_index); script_context_table, lookup_result.context_index);
if (script_context->is_the_hole(lookup_result.slot_index)) return false;
result->context = script_context; result->context = script_context;
result->immutable = IsImmutableVariableMode(lookup_result.mode); result->immutable = IsImmutableVariableMode(lookup_result.mode);
result->index = lookup_result.slot_index; result->index = lookup_result.slot_index;