Don't treat catch scopes as possibly-shadowing for sloppy eval

Scope analysis is over-conservative when treating variable resolutions as possibly-shadowed by a sloppy eval. In the attached bug, this comes into play since catch scopes have different behavior with respect to the "calls eval" in eager vs lazy compilation (in the latter, they are never marked as "calls eval" because CatchContexts don't have an associated ScopeInfo). This patch changes the scope-type check to also eliminate a few other cases where shadowing isn't possible, such as non-declaration block scopes. BUG=chromium:608279 LOG=n Review-Url: https://codereview.chromium.org/1950803002 Cr-Commit-Position: refs/heads/master@{#36046}

Don't treat catch scopes as possibly-shadowing for sloppy eval
Scope analysis is over-conservative when treating variable resolutions as possibly-shadowed by a sloppy eval. In the attached bug, this comes into play since catch scopes have different behavior with respect to the "calls eval" in eager vs lazy compilation (in the latter, they are never marked as "calls eval" because CatchContexts don't have an associated ScopeInfo). This patch changes the scope-type check to also eliminate a few other cases where shadowing isn't possible, such as non-declaration block scopes. BUG=chromium:608279 LOG=n Review-Url: https://codereview.chromium.org/1950803002 Cr-Commit-Position: refs/heads/master@{#36046}
75f2d65f · adamk · Commit bot · 915ec67c · 75f2d65f · 75f2d65f
Commit 75f2d65f authored May 04, 2016 by adamk Committed by Commit bot May 04, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 2 deletions

scopes.cc src/ast/scopes.cc +5 -2

regress-crbug-608279.js test/mjsunit/regress/regress-crbug-608279.js +18 -0

No files found.
--- a/src/ast/scopes.cc
+++ b/src/ast/scopes.cc
@@ -1098,12 +1098,15 @@ Variable* Scope::LookupRecursive(VariableProxy* proxy,
    if (var != NULL && proxy->is_assigned()) var->set_maybe_assigned();
    *binding_kind = DYNAMIC_LOOKUP;
    return NULL;
-  } else if (calls_sloppy_eval() && !is_script_scope() &&
-             name_can_be_shadowed) {
+  } else if (calls_sloppy_eval() && is_declaration_scope() &&
+             !is_script_scope() && name_can_be_shadowed) {
    // A variable binding may have been found in an outer scope, but the current
    // scope makes a sloppy 'eval' call, so the found variable may not be
    // the correct one (the 'eval' may introduce a binding with the same name).
    // In that case, change the lookup result to reflect this situation.
+    // Only scopes that can host var bindings (declaration scopes) need be
+    // considered here (this excludes block and catch scopes), and variable
+    // lookups at script scope are always dynamic.
    if (*binding_kind == BOUND) {
      *binding_kind = BOUND_EVAL_SHADOWED;
    } else if (*binding_kind == UNBOUND) {

--- a/test/mjsunit/regress/regress-crbug-608279.js
+++ b/test/mjsunit/regress/regress-crbug-608279.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --always-opt --no-lazy
+
+function __f_38() {
+  try {
+    throw 0;
+  } catch (e) {
+    eval();
+    var __v_38 = { a: 'hest' };
+    __v_38.m = function () { return __v_38.a; };
+  }
+  return __v_38;
+}
+var __v_40 = __f_38();
+__v_40.m();