[parser] Fix bytecode mismatch for this
Fixes bytecode mismatch between lazy and non-lazy where "this" was marked as maybe assigned in constructors that called the super constructor. Since this will return the hole in cases where it was not yet initialized by super (and the hole is explicitly handled by JSContextSpecialization::ReduceJSLoadContext), it's safe to treat it as a constant in all cases. In the case of lazy compilation case, "this" is never added to the ScopeInfo so is never seen as mutable. Bug: chromium:994719 Change-Id: I43478fbc626b19eb1533aa9dec61b7f276ae140b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762025 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#63283}
This commit is contained in:
parent
74e68e6a8a
commit
dd54736795
@ -3412,7 +3412,7 @@ typename ParserBase<Impl>::ExpressionT ParserBase<Impl>::ParseSuperExpression(
|
||||
// TODO(rossberg): This might not be the correct FunctionState for the
|
||||
// method here.
|
||||
expression_scope()->RecordThisUse();
|
||||
UseThis()->SetMaybeAssigned();
|
||||
UseThis();
|
||||
return impl()->NewSuperCallReference(pos);
|
||||
}
|
||||
}
|
||||
|
12
test/mjsunit/regress/regress-crbug-994719.js
Normal file
12
test/mjsunit/regress/regress-crbug-994719.js
Normal file
@ -0,0 +1,12 @@
|
||||
// Copyright 2019 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --no-lazy --enable-lazy-source-positions --stress-lazy-source-positions
|
||||
|
||||
class C extends Object {
|
||||
constructor() {
|
||||
() => this;
|
||||
super();
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user