Reviewers: Yang,
Message:
Committed patchset #1 manually as r19576 (tree was closed).
Description:
Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.
BUG=343928
[email protected]
LOG=N
Committed: https://code.google.com/p/v8/source/detail?r=19576
Please review this at https://codereview.chromium.org/183103003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+33, -2 lines):
M src/contexts.h
M src/objects.cc
A test/mjsunit/regress/regress-343928.js
Index: src/contexts.h
diff --git a/src/contexts.h b/src/contexts.h
index
b2e0661a348557a864150c67fa78985b53f18452..d15ef867686504ab095c240fb5c128723cd9e806
100644
--- a/src/contexts.h
+++ b/src/contexts.h
@@ -226,8 +226,11 @@ enum BindingFlags {
// In addition, function contexts may have statically allocated context
slots
// to store local variables/functions that are accessed from inner
functions
// (via static context addresses) or through 'eval' (dynamic context
lookups).
-// Finally, the native context contains additional slots for fast access to
-// native properties.
+// The native context contains additional slots for fast access to native
+// properties.
+//
+// Finally, with Harmony scoping, the JSFunction representing a top level
+// script will have the GlobalContext rather than a FunctionContext.
class Context: public FixedArray {
public:
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
410292d336aa97362a462e308c6fd6100dd04e97..7c704bce31f8992002a4a3050ea174bd813e19b0
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5443,6 +5443,12 @@ bool JSObject::ReferencesObject(Object* obj) {
// Check the context extension (if any) if it can have references.
if (context->has_extension() && !context->IsCatchContext()) {
+ // With harmony scoping, a JSFunction may have a global context.
+ // TODO(mvstanton): walk into the ScopeInfo.
+ if (FLAG_harmony_scoping && context->IsGlobalContext()) {
+ return false;
+ }
+
return JSObject::cast(context->extension())->ReferencesObject(obj);
}
}
Index: test/mjsunit/regress/regress-343928.js
diff --git a/test/mjsunit/regress/regress-343928.js
b/test/mjsunit/regress/regress-343928.js
new file mode 100644
index
0000000000000000000000000000000000000000..b102ab9c4cf6042cd9aaa6136d0c2dd1bb42cd4a
--- /dev/null
+++ b/test/mjsunit/regress/regress-343928.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony --expose-debug-as=debug
+
+(function () { // Scope for utility functions.
+ escaping_function = function(object) {
+ // Argument must not be null or undefined.
+ var string = Object.prototype.toString.call(object);
+ // String has format [object <ClassName>].
+ return string.substring(8, string.length - 1);
+ }
+})();
+
+module B {
+ var stuff = 3
+}
+
+var __v_0 = {};
+var __v_4 = debug.MakeMirror(__v_0);
+print(__v_4.referencedBy().length); // core dump here if not fixed.
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
