[turbofan] Fix invalid lowering of let variable in TDZ.
This fixes JSNativeContextSpecialization to not lower JSLoadGlobal and JSStoreGlobal nodes if the global variable has morphed into a context variable that is currently within a TDZ. Scary variable binding is being scary! R=bmeurer@chromium.org TEST=cctest/test-decls/Regress3941 --turbo-filter="f" BUG=v8:4470 LOG=n Review URL: https://codereview.chromium.org/1415733003 Cr-Commit-Position: refs/heads/master@{#31405}
This commit is contained in:
parent
e41614a058
commit
4de969cebe
@ -62,6 +62,7 @@ Reduction JSNativeContextSpecialization::ReduceJSLoadGlobal(Node* node) {
|
|||||||
// Try to lookup the name on the script context table first (lexical scoping).
|
// Try to lookup the name on the script context table first (lexical scoping).
|
||||||
ScriptContextTableLookupResult result;
|
ScriptContextTableLookupResult result;
|
||||||
if (LookupInScriptContextTable(name, &result)) {
|
if (LookupInScriptContextTable(name, &result)) {
|
||||||
|
if (result.context->is_the_hole(result.index)) return NoChange();
|
||||||
Node* context = jsgraph()->Constant(result.context);
|
Node* context = jsgraph()->Constant(result.context);
|
||||||
Node* value = effect = graph()->NewNode(
|
Node* value = effect = graph()->NewNode(
|
||||||
javascript()->LoadContext(0, result.index, result.immutable), context,
|
javascript()->LoadContext(0, result.index, result.immutable), context,
|
||||||
@ -143,6 +144,7 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreGlobal(Node* node) {
|
|||||||
// Try to lookup the name on the script context table first (lexical scoping).
|
// Try to lookup the name on the script context table first (lexical scoping).
|
||||||
ScriptContextTableLookupResult result;
|
ScriptContextTableLookupResult result;
|
||||||
if (LookupInScriptContextTable(name, &result)) {
|
if (LookupInScriptContextTable(name, &result)) {
|
||||||
|
if (result.context->is_the_hole(result.index)) return NoChange();
|
||||||
if (result.immutable) return NoChange();
|
if (result.immutable) return NoChange();
|
||||||
Node* context = jsgraph()->Constant(result.context);
|
Node* context = jsgraph()->Constant(result.context);
|
||||||
effect = graph()->NewNode(javascript()->StoreContext(0, result.index),
|
effect = graph()->NewNode(javascript()->StoreContext(0, result.index),
|
||||||
@ -670,7 +672,6 @@ bool JSNativeContextSpecialization::LookupInScriptContextTable(
|
|||||||
}
|
}
|
||||||
Handle<Context> script_context = ScriptContextTable::GetContext(
|
Handle<Context> script_context = ScriptContextTable::GetContext(
|
||||||
script_context_table, lookup_result.context_index);
|
script_context_table, lookup_result.context_index);
|
||||||
if (script_context->is_the_hole(lookup_result.slot_index)) return false;
|
|
||||||
result->context = script_context;
|
result->context = script_context;
|
||||||
result->immutable = IsImmutableVariableMode(lookup_result.mode);
|
result->immutable = IsImmutableVariableMode(lookup_result.mode);
|
||||||
result->index = lookup_result.slot_index;
|
result->index = lookup_result.slot_index;
|
||||||
|
Loading…
Reference in New Issue
Block a user