[interpreter] DYNAMIC_GLOBAL needs to walk the context chain starting from current_scope, not closure_scope

The main reason why we currently don't see this fail is that block-scopes always appear to have an extension: the scope info object is stored there. Bug: Change-Id: I38f0c15387e235eeea9a57c95af0d9eb185dad2a Reviewed-on: https://chromium-review.googlesource.com/785951 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#49585}
2017-11-22 17:40:24 +01:00 · 2017-11-22 17:40:24 +01:00 · da0af28545
commit da0af28545
parent 4379533ca4
4 changed files with 14 additions and 3 deletions
--- a/src/interpreter/bytecode-generator.cc
+++ b/src/interpreter/bytecode-generator.cc
@ -2370,7 +2370,7 @@ void BytecodeGenerator::BuildVariableLoad(Variable* variable,
        }
        case DYNAMIC_GLOBAL: {
          int depth =
-              closure_scope()->ContextChainLengthUntilOutermostSloppyEval();
+              current_scope()->ContextChainLengthUntilOutermostSloppyEval();
          FeedbackSlot slot = GetCachedLoadGlobalICSlot(typeof_mode, variable);
          builder()->LoadLookupGlobalSlot(variable->raw_name(), typeof_mode,
                                          feedback_index(slot), depth);
--- a/test/cctest/interpreter/bytecode_expectations/ForOfLoop.golden
+++ b/test/cctest/interpreter/bytecode_expectations/ForOfLoop.golden
@ -208,7 +208,7 @@ bytecodes: [
                B(StaCurrentContextSlot), U8(4),
                B(Ldar), R(4),
                B(StaCurrentContextSlot), U8(4),
-  /*   41 S> */ B(LdaLookupGlobalSlot), U8(6), U8(12), U8(1),
+  /*   41 S> */ B(LdaLookupGlobalSlot), U8(6), U8(12), U8(3),
                B(Star), R(15),
                B(LdaConstant), U8(7),
                B(Star), R(16),
--- a/test/cctest/interpreter/bytecode_expectations/StandardForLoop.golden
+++ b/test/cctest/interpreter/bytecode_expectations/StandardForLoop.golden
@ -99,7 +99,7 @@ bytecodes: [
                B(TestEqual), R(2), U8(3),
                B(JumpIfFalse), U8(54),
  /*   17 E> */ B(StackCheck),
-  /*   48 S> */ B(LdaLookupGlobalSlot), U8(2), U8(4), U8(1),
+  /*   48 S> */ B(LdaLookupGlobalSlot), U8(2), U8(4), U8(3),
                B(Star), R(7),
                B(LdaConstant), U8(3),
                B(Star), R(8),
--- a/test/mjsunit/ignition/dynamic-global-inside-block.js
+++ b/test/mjsunit/ignition/dynamic-global-inside-block.js
@ -0,0 +1,11 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Verifies that DYNAMIC_GLOBAL variables walk the correct context-chain length
+// to reach the sloppy-eval calling function context, including block contexts.
+function test() {
+  return eval('var x = 100; { function z() {z}; x }')
+}
+
+test();