From 5bf9e470f8290dde983797e695e5156374d81962 Mon Sep 17 00:00:00 2001 From: Toon Verwaest Date: Thu, 8 Nov 2018 11:07:42 +0100 Subject: [PATCH] [parser] Fix cover-grammar initializer positions Since we use a ScopedPtrList to track cover grammar expressions we don't know the position of the commas anymore. The position of the commas was used to demark the initializer, which is needed to figure out whether we need hole checks for variable references. (Typically only references within the initializer need hole checks for the initialized variable.) Since we didn't have the comma position, we simply used the position of the first expression as the position of any subsequent comma, which would make it seem as if the initializer body wasn't in the initializer. Now instead we simply use the position of the subsequent parameter as the end of the initializer, which is close enough. Bug: chromium:902810 Change-Id: I8d2bc7a2dc9f59db16ce56ccef01e263a18a3b7a Reviewed-on: https://chromium-review.googlesource.com/c/1326022 Reviewed-by: Igor Sheludko Commit-Queue: Toon Verwaest Cr-Commit-Position: refs/heads/master@{#57357} --- src/parsing/parser.cc | 4 ++-- test/mjsunit/regress/regress-902810.js | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-902810.js diff --git a/src/parsing/parser.cc b/src/parsing/parser.cc index 7ab313e0fc..dcd1b9f1e4 100644 --- a/src/parsing/parser.cc +++ b/src/parsing/parser.cc @@ -3511,12 +3511,12 @@ Expression* Parser::ExpressionListToExpression( if (args.length() == 1) return expr; if (args.length() == 2) { return factory()->NewBinaryOperation(Token::COMMA, expr, args.at(1), - expr->position()); + args.at(1)->position()); } NaryOperation* result = factory()->NewNaryOperation(Token::COMMA, expr, args.length() - 1); for (int i = 1; i < args.length(); i++) { - result->AddSubsequent(args.at(i), expr->position()); + result->AddSubsequent(args.at(i), args.at(i)->position()); } return result; } diff --git a/test/mjsunit/regress/regress-902810.js b/test/mjsunit/regress/regress-902810.js new file mode 100644 index 0000000000..76ea7d9443 --- /dev/null +++ b/test/mjsunit/regress/regress-902810.js @@ -0,0 +1,5 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +assertThrows("((__v_4 = __v_4, __v_0) => eval(__v_4))()", ReferenceError)