Fix sloppy block-scoped function hoisting with nested zones

The sloppy block-scoped function declaration placeholder statements are held in parser_zone_-allocated hashtables. These hashtables are not updated when local_zone_s are removed. Therefore, the NewSloppyBlockFunctionStatement method should allocate SloppyBlockScopeFunctionStatements in the parser_zone_ to avoid a use-after-free. Scope fixup code may end up updating something which is thrown away, but this is a small cost and much simpler than removing dead hashtable entries later. R=adamk LOG=Y BUG=chromium:537816 Review URL: https://codereview.chromium.org/1564923007 Cr-Commit-Position: refs/heads/master@{#33185}
2016-01-08 08:15:56 -08:00 · 2016-01-08 08:15:56 -08:00 · eb9deba815
commit eb9deba815
parent 32879ae0fa
2 changed files with 5 additions and 4 deletions
--- a/src/ast/ast.h
+++ b/src/ast/ast.h
@ -3090,8 +3090,8 @@ class AstNodeFactory final BASE_EMBEDDED {

  SloppyBlockFunctionStatement* NewSloppyBlockFunctionStatement(
      Statement* statement, Scope* scope) {
-    return new (local_zone_)
-        SloppyBlockFunctionStatement(local_zone_, statement, scope);
+    return new (parser_zone_)
+        SloppyBlockFunctionStatement(parser_zone_, statement, scope);
  }

  CaseClause* NewCaseClause(
--- a/test/cctest/test-parsing.cc
+++ b/test/cctest/test-parsing.cc
@ -1410,13 +1410,13 @@ TEST(DiscardFunctionBody) {
  // See comments in ParseFunctionLiteral in parser.cc.
  const char* discard_sources[] = {
      "(function f() { function g() { var a; } })();",
+      "(function f() { function g() { { function h() { } } } })();",
      /* TODO(conradw): In future it may be possible to apply this optimisation
       * to these productions.
      "(function f() { 0, function g() { var a; } })();",
      "(function f() { 0, { g() { var a; } } })();",
      "(function f() { 0, class c { g() { var a; } } })();", */
-      NULL
-  };
+      NULL};

  i::Isolate* isolate = CcTest::i_isolate();
  i::Factory* factory = isolate->factory();
@ -1448,6 +1448,7 @@ TEST(DiscardFunctionBody) {
    } else {
      // TODO(conradw): This path won't be hit until the other test cases can be
      // uncommented.
+      UNREACHABLE();
      CHECK_NOT_NULL(inner->body());
      CHECK_GE(2, inner->body()->length());
      i::Expression* exp = inner->body()->at(1)->AsExpressionStatement()->