Fix for Clusterfuzz issue 343928.

The problem was that the debugger didn't expect that a JSFunction could have a GlobalContext, which it can with harmony scoping. BUG=343928 R=yangguo@chromium.org LOG=N Review URL: https://codereview.chromium.org/183103003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix for Clusterfuzz issue 343928.
The problem was that the debugger didn't expect that a JSFunction could have a GlobalContext, which it can with harmony scoping. BUG=343928 R=yangguo@chromium.org LOG=N Review URL: https://codereview.chromium.org/183103003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
b8f8cfab · mvstanton@chromium.org · 703536eb · b8f8cfab · b8f8cfab · b8f8cfab
Commit b8f8cfab authored Feb 27, 2014 by mvstanton@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 2 deletions

contexts.h src/contexts.h +5 -2

objects.cc src/objects.cc +6 -0

regress-343928.js test/mjsunit/regress/regress-343928.js +22 -0

No files found.
--- a/src/contexts.h
+++ b/src/contexts.h
@@ -226,8 +226,11 @@ enum BindingFlags {
 // In addition, function contexts may have statically allocated context slots
 // to store local variables/functions that are accessed from inner functions
 // (via static context addresses) or through 'eval' (dynamic context lookups).
-// Finally, the native context contains additional slots for fast access to
-// native properties.
+// The native context contains additional slots for fast access to native
+// properties.
+//
+// Finally, with Harmony scoping, the JSFunction representing a top level
+// script will have the GlobalContext rather than a FunctionContext.

 class Context: public FixedArray {
 public:

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5444,6 +5444,12 @@ bool JSObject::ReferencesObject(Object* obj) {

    // Check the context extension (if any) if it can have references.
    if (context->has_extension() && !context->IsCatchContext()) {
+      // With harmony scoping, a JSFunction may have a global context.
+      // TODO(mvstanton): walk into the ScopeInfo.
+      if (FLAG_harmony_scoping && context->IsGlobalContext()) {
+        return false;
+      }
+
      return JSObject::cast(context->extension())->ReferencesObject(obj);
    }
  }

--- a/test/mjsunit/regress/regress-343928.js
+++ b/test/mjsunit/regress/regress-343928.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony --expose-debug-as=debug
+
+(function () {  // Scope for utility functions.
+  escaping_function = function(object) {
+    // Argument must not be null or undefined.
+    var string = Object.prototype.toString.call(object);
+    // String has format [object <ClassName>].
+    return string.substring(8, string.length - 1);
+  }
+})();
+
+module B {
+  var stuff = 3
+}
+
+var __v_0 = {};
+var __v_4 = debug.MakeMirror(__v_0);
+print(__v_4.referencedBy().length);  // core dump here if not fixed.