[crankshaft] Prevent inlining of new.target functions.

This moves the bailout for functions containing new.target variable to the correct place so that Crankshaft doesn't accidentally inline such functions, yielding an "undefined" new.target value all the time. R=bmeurer@chromium.org TEST=mjsunit/es6/regress/regress-inlined-new-target Review URL: https://codereview.chromium.org/1484163003 Cr-Commit-Position: refs/heads/master@{#32468}
2015-12-01 06:19:25 -08:00 · 2015-12-01 06:19:25 -08:00 · 8c793fed78
commit 8c793fed78
parent 6aa9b10faf
2 changed files with 20 additions and 0 deletions
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@ -8381,6 +8381,13 @@ bool HOptimizedGraphBuilder::TryInline(Handle<JSFunction> target,
    }
  }

+  // Unsupported variable references present.
+  if (function->scope()->this_function_var() != nullptr ||
+      function->scope()->new_target_var() != nullptr) {
+    TraceInline(target, caller, "target uses new target or this function");
+    return false;
+  }
+
  // All declarations must be inlineable.
  ZoneList<Declaration*>* decls = target_info.scope()->declarations();
  int decl_count = decls->length();
--- a/test/mjsunit/es6/regress/regress-inlined-new-target.js
+++ b/test/mjsunit/es6/regress/regress-inlined-new-target.js
@ -0,0 +1,13 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function g() { return { val: new.target }; }
+function f() { return (new g()).val; }
+
+assertEquals(g, f());
+assertEquals(g, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(g, f());