Commit 7485da7a authored by adamk's avatar adamk Committed by Commit bot

Don't crash when preparsing destructured arguments

This adds the materialized literal count accumulated while parsing the
parameters (in the parser proper) to that accumulated by the preparser.

This should have been caught in cctest/test-parsing, but it's not covered
because the parsing tests call directly into the preparser rather than
using Parser::ParseFunctionLiteral (which fully-parses the parameters
and then calls into the preparser to skip over the function body).

Note that this further-inflates the materialized literal count for
functions with destructured arguments, since some of the counted
literals are actually binding patterns. But that's not specific to
binding patterns in formal parameters: it happens in function bodies, too.

BUG=v8:4400,v8:4407
LOG=n

Review URL: https://codereview.chromium.org/1350913005

Cr-Commit-Position: refs/heads/master@{#30868}
parent 24ec2a0b
......@@ -4205,9 +4205,8 @@ FunctionLiteral* Parser::ParseFunctionLiteral(
&expected_property_count, /*CHECK_OK*/ ok,
maybe_bookmark);
if (formals.materialized_literals_count > 0) {
materialized_literal_count += formals.materialized_literals_count;
}
materialized_literal_count += formals.materialized_literals_count +
function_state.materialized_literal_count();
if (bookmark.HasBeenReset()) {
// Trigger eager (re-)parsing, just below this block.
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-default-parameters --min-preparse-length=0
function borked(a = [], b = {}, c) {}
borked();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment