[parser] Fix bytecode mismatch for this

Fixes bytecode mismatch between lazy and non-lazy where "this" was marked as maybe assigned in constructors that called the super constructor. Since this will return the hole in cases where it was not yet initialized by super (and the hole is explicitly handled by JSContextSpecialization::ReduceJSLoadContext), it's safe to treat it as a constant in all cases. In the case of lazy compilation case, "this" is never added to the ScopeInfo so is never seen as mutable. Bug: chromium:994719 Change-Id: I43478fbc626b19eb1533aa9dec61b7f276ae140b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762025 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#63283}
2019-08-20 14:44:27 +01:00 · 2019-08-20 14:44:27 +01:00 · dd54736795
commit dd54736795
parent 74e68e6a8a
2 changed files with 13 additions and 1 deletions
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@ -3412,7 +3412,7 @@ typename ParserBase<Impl>::ExpressionT ParserBase<Impl>::ParseSuperExpression(
      // TODO(rossberg): This might not be the correct FunctionState for the
      // method here.
      expression_scope()->RecordThisUse();
-      UseThis()->SetMaybeAssigned();
+      UseThis();
      return impl()->NewSuperCallReference(pos);
    }
  }
--- a/test/mjsunit/regress/regress-crbug-994719.js
+++ b/test/mjsunit/regress/regress-crbug-994719.js
@ -0,0 +1,12 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy --enable-lazy-source-positions --stress-lazy-source-positions
+
+class C extends Object {
+  constructor() {
+    () => this;
+    super();
+  }
+}