Fix scopes for body of sloppy-mode for-in/of loop

This patch fixes an obscure edge case for functions defined as the direct body of a for-of/for-in loop, such as the following: for (foo in []) function foo() { return foo; } Here, the first occurrence of foo should point to the outer scope; however, before this patch, it pointed to the inner foo in an invalid way which caused an assertion about the scope chain to fail. This patch fixes the scope chain by inserting an extra scope for the body of the loop, not including the header. BUG=chromium:542099 LOG=N R=rossberg Review URL: https://codereview.chromium.org/1396663004 Cr-Commit-Position: refs/heads/master@{#31268}
2015-10-14 10:36:06 -07:00 · 2015-10-14 10:36:06 -07:00 · d0618585a7
commit d0618585a7
parent e6d45f1a78
2 changed files with 30 additions and 3 deletions
--- a/src/parser.cc
+++ b/src/parser.cc
@ -3793,17 +3793,26 @@ Statement* Parser::ParseForStatement(ZoneList<const AstRawString*>* labels,

        // Make a block around the statement in case a lexical binding
        // is introduced, e.g. by a FunctionDeclaration.
+        // This block must not use for_scope as its scope because if a
+        // lexical binding is introduced which overlaps with the for-in/of,
+        // expressions in head of the loop should actually have variables
+        // resolved in the outer scope.
+        Scope* body_scope = NewScope(for_scope, BLOCK_SCOPE);
+        scope_ = body_scope;
        Block* block =
            factory()->NewBlock(NULL, 1, false, RelocInfo::kNoPosition);
        Statement* body = ParseSubStatement(NULL, CHECK_OK);
        block->statements()->Add(body, zone());
        InitializeForEachStatement(loop, expression, enumerable, block);
        scope_ = saved_scope;
+        body_scope->set_end_position(scanner()->location().end_pos);
+        body_scope = body_scope->FinalizeBlockScope();
+        if (body_scope != nullptr) {
+          block->set_scope(body_scope);
+        }
        for_scope->set_end_position(scanner()->location().end_pos);
        for_scope = for_scope->FinalizeBlockScope();
-        if (for_scope != nullptr) {
-          block->set_scope(for_scope);
-        }
+        DCHECK(for_scope == nullptr);
        // Parsed for-in loop.
        return loop;

--- a/test/mjsunit/regress/regress-542099.js
+++ b/test/mjsunit/regress/regress-542099.js
@ -0,0 +1,18 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-sloppy --harmony-sloppy-function
+
+// Previously, this caused a CHECK fail in debug mode
+// https://code.google.com/p/chromium/issues/detail?id=542099
+
+var foo = {};
+var bar = foo;
+for (foo.x in {a: 1}) function foo() { return foo; }
+assertEquals("object", typeof bar);
+assertEquals("a", bar.x);
+assertEquals("function", typeof foo);
+assertEquals("function", typeof foo());
+assertSame(foo, foo());
+assertEquals(undefined, foo.x);