[v8-dev] Fix lazy parsing heuristics to respect outer scope. (issue 10698032)

mstarzinger Thu, 28 Jun 2012 07:52:37 -0700

Reviewers: ulan,

Description:
Fix lazy parsing heuristics to respect outer scope.


This makes sure that a function literal is only parsed lazily when the
outer scope actually allows lazy compilation. Otherwise compilation will
crash due to a missing function body.

[email protected]
BUG=chromium:135008
TEST=mjsunit/regress/regress-crbug-135008


Please review this at https://chromiumcodereview.appspot.com/10698032/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/parser.cc
  A + test/mjsunit/regress/regress-crbug-135008.js


Index: src/parser.cc
diff --git a/src/parser.cc b/src/parser.cc

indexdf6dc3b8445ae12c0ea7e29b23035625974be4e4..e8d20bfa63896b37cc111ed781c2df10ac01b337100644

--- a/src/parser.cc
+++ b/src/parser.cc

@@ -4521,6 +4521,7 @@ FunctionLiteral*Parser::ParseFunctionLiteral(Handle<String> function_name,

     // The heuristics are:

// - It must not have been prohibited by the caller to Parse (somecallers

     //   need a full AST).
+    // - The outer scope must allow lazy compilation of inner functions.

// - The function mustn't be a function expression with an openparenthesis

     //   before; we consider that a hint that the function will be called
     //   immediately, and it would be a waste of time to make it lazily

@@ -4528,6 +4529,7 @@ FunctionLiteral*Parser::ParseFunctionLiteral(Handle<String> function_name,// These are all things we can know at this point, without looking atthe

     // function itself.
     bool is_lazily_compiled = (mode() == PARSE_LAZILY &&
+                               top_scope_->AllowsLazyCompilation() &&
                                !parenthesized_function_);

parenthesized_function_ = false; // The bit was set for this functiononly.


Index: test/mjsunit/regress/regress-crbug-135008.js

diff --git a/test/mjsunit/compiler/regress-toint32.jsb/test/mjsunit/regress/regress-crbug-135008.js

similarity index 83%
copy from test/mjsunit/compiler/regress-toint32.js
copy to test/mjsunit/regress/regress-crbug-135008.js

index54c2f76dd75a3006dd0b040f0ce31c28f0a7ec29..2be396e8055a916b1f7c7370ff32ff0d40eea762100644

--- a/test/mjsunit/compiler/regress-toint32.js
+++ b/test/mjsunit/regress/regress-crbug-135008.js
@@ -25,21 +25,21 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Flags: --allow-natives-syntax --noenable-sse3
+// Filler long enough to trigger lazy parsing.
+var filler = "//" + new Array(1024).join('x');

-var a = new Int32Array(1);
-var G = 0x80000000;
+var scope = { x:23 };

-function f(x) {
-  var v = x;
-  v = v + 1;
-  a[0] = v;
-  v = v - 1;
-  return v;
-}
-
-assertEquals(G, f(G));
-assertEquals(G, f(G));
-%OptimizeFunctionOnNextCall(f);
-assertEquals(G, f(G));
+with(scope) {
+  eval(
+    "scope.f = (function outer() {" +
+    "  function inner() {" +
+    "    return x;" +
+    "  }" +
+    "  return inner;" +
+    "})();" +
+    filler
+  );
+};

+assertSame(23, scope.f());


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

[v8-dev] Fix lazy parsing heuristics to respect outer scope. (issue 10698032)

Reply via email to