From e0d608a2b1dcdd8a02c3d3db691bafec8461815a Mon Sep 17 00:00:00 2001
From: vogelheim <vogelheim@chromium.org>
Date: Mon, 28 Nov 2016 06:43:35 -0800
Subject: [PATCH] Fix 'combo breaker' in CreateDynamicFunction to handle
 template literals.

BUG=chromium:663410

Review-Url: https://codereview.chromium.org/2533463002
Cr-Commit-Position: refs/heads/master@{#41320}
---
 src/builtins/builtins-function.cc    | 2 +-
 test/mjsunit/regress-crbug-663410.js | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress-crbug-663410.js

diff --git a/src/builtins/builtins-function.cc b/src/builtins/builtins-function.cc
index 3672794527..6cd1b283ec 100644
--- a/src/builtins/builtins-function.cc
+++ b/src/builtins/builtins-function.cc
@@ -61,7 +61,7 @@ MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate,
       // If the formal parameters include an unbalanced block comment, the
       // function must be rejected. Since JavaScript does not allow nested
       // comments we can include a trailing block comment to catch this.
-      builder.AppendCString("\n/**/");
+      builder.AppendCString("\n/*``*/");
     }
     builder.AppendCString(") {\n");
     if (argc > 0) {
diff --git a/test/mjsunit/regress-crbug-663410.js b/test/mjsunit/regress-crbug-663410.js
new file mode 100644
index 0000000000..5bef089f11
--- /dev/null
+++ b/test/mjsunit/regress-crbug-663410.js
@@ -0,0 +1,8 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function alert(x) {};
+assertThrows(
+  Function("a=`","`,xss=1){alert(xss)")
+);