Fix lazy parsing heuristics to respect outer scope.

This makes sure that a function literal is only parsed lazily when the outer scope actually allows lazy compilation. Otherwise compilation will crash due to a missing function body. R=ulan@chromium.org BUG=chromium:135008 TEST=mjsunit/regress/regress-crbug-135008 Review URL: https://chromiumcodereview.appspot.com/10698032 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-06-28 14:56:28 +00:00 · 2012-06-28 14:56:28 +00:00 · a691c693fb
commit a691c693fb
parent 6504c92c0a
2 changed files with 47 additions and 0 deletions
--- a/src/parser.cc
+++ b/src/parser.cc
@ -4521,6 +4521,7 @@ FunctionLiteral* Parser::ParseFunctionLiteral(Handle<String> function_name,
    // The heuristics are:
    // - It must not have been prohibited by the caller to Parse (some callers
    //   need a full AST).
+    // - The outer scope must allow lazy compilation of inner functions.
    // - The function mustn't be a function expression with an open parenthesis
    //   before; we consider that a hint that the function will be called
    //   immediately, and it would be a waste of time to make it lazily
@ -4528,6 +4529,7 @@ FunctionLiteral* Parser::ParseFunctionLiteral(Handle<String> function_name,
    // These are all things we can know at this point, without looking at the
    // function itself.
    bool is_lazily_compiled = (mode() == PARSE_LAZILY &&
+                               top_scope_->AllowsLazyCompilation() &&
                               !parenthesized_function_);
    parenthesized_function_ = false;  // The bit was set for this function only.

--- a/test/mjsunit/regress/regress-crbug-135008.js
+++ b/test/mjsunit/regress/regress-crbug-135008.js
@ -0,0 +1,45 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Filler long enough to trigger lazy parsing.
+var filler = "//" + new Array(1024).join('x');
+
+var scope = { x:23 };
+
+with(scope) {
+  eval(
+    "scope.f = (function outer() {" +
+    "  function inner() {" +
+    "    return x;" +
+    "  }" +
+    "  return inner;" +
+    "})();" +
+    filler
+  );
+};
+
+assertSame(23, scope.f());