Revision: 19576
Author: [email protected]
Date: Thu Feb 27 13:25:05 2014 UTC
Log: Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could
have a GlobalContext, which it can with harmony scoping.
BUG=343928
[email protected]
LOG=N
Review URL: https://codereview.chromium.org/183103003
http://code.google.com/p/v8/source/detail?r=19576
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-343928.js
Modified:
/branches/bleeding_edge/src/contexts.h
/branches/bleeding_edge/src/objects.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-343928.js Thu Feb
27 13:25:05 2014 UTC
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony --expose-debug-as=debug
+
+(function () { // Scope for utility functions.
+ escaping_function = function(object) {
+ // Argument must not be null or undefined.
+ var string = Object.prototype.toString.call(object);
+ // String has format [object <ClassName>].
+ return string.substring(8, string.length - 1);
+ }
+})();
+
+module B {
+ var stuff = 3
+}
+
+var __v_0 = {};
+var __v_4 = debug.MakeMirror(__v_0);
+print(__v_4.referencedBy().length); // core dump here if not fixed.
=======================================
--- /branches/bleeding_edge/src/contexts.h Wed Feb 12 22:04:19 2014 UTC
+++ /branches/bleeding_edge/src/contexts.h Thu Feb 27 13:25:05 2014 UTC
@@ -226,8 +226,11 @@
// In addition, function contexts may have statically allocated context
slots
// to store local variables/functions that are accessed from inner
functions
// (via static context addresses) or through 'eval' (dynamic context
lookups).
-// Finally, the native context contains additional slots for fast access to
-// native properties.
+// The native context contains additional slots for fast access to native
+// properties.
+//
+// Finally, with Harmony scoping, the JSFunction representing a top level
+// script will have the GlobalContext rather than a FunctionContext.
class Context: public FixedArray {
public:
=======================================
--- /branches/bleeding_edge/src/objects.cc Tue Feb 25 15:47:33 2014 UTC
+++ /branches/bleeding_edge/src/objects.cc Thu Feb 27 13:25:05 2014 UTC
@@ -5444,6 +5444,12 @@
// Check the context extension (if any) if it can have references.
if (context->has_extension() && !context->IsCatchContext()) {
+ // With harmony scoping, a JSFunction may have a global context.
+ // TODO(mvstanton): walk into the ScopeInfo.
+ if (FLAG_harmony_scoping && context->IsGlobalContext()) {
+ return false;
+ }
+
return JSObject::cast(context->extension())->ReferencesObject(obj);
}
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
