[parser] Don't handle this var management in reparsed scopes

verwaest · V8 LUCI CQ · commit 0d75c4ef5f12 · 2024-10-18T10:16:26.000Z
The variable is already properly allocated, so we shouldn't try to reallocate it. Notable this would be wrong in the case where we reparse a class body for one of its initializers. The function in which the class body actually lives might not have required a context, but computed property names might have referred to its receiver. When we reparse the class that function might not be on the outer scope chain of the class (since it didn't require a context). Bug: 371237564 Change-Id: I54ccbc86eb9abdcd558d395f7896d1a23a110b50 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5937959 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Auto-Submit: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#96677}
diff --git a/src/ast/scopes.h b/src/ast/scopes.h
@@ -113,6 +113,8 @@ class V8_EXPORT_PRIVATE Scope : public NON_EXPORTED_BASE(ZoneObject) {
   ClassScope* AsClassScope();
   const ClassScope* AsClassScope() const;
 
+  bool is_reparsed() const { return !scope_info_.is_null(); }
+
   class Snapshot final {
    public:
     inline explicit Snapshot(Scope* scope);
@@ -1413,8 +1415,6 @@ class V8_EXPORT_PRIVATE ClassScope : public Scope {
                                IsStaticFlag is_static_flag, bool* was_added);
   Variable* RedeclareSyntheticContextVariable(const AstRawString* name);
 
-  bool is_reparsed() const { return !scope_info_.is_null(); }
-
   // Try resolving all unresolved private names found in the current scope.
   // Called from DeclarationScope::AllocateVariables() when reparsing a
   // method to generate code or when eval() is called to access private names.
diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h
@@ -1241,8 +1241,10 @@ class ParserBase {
   // Needs to be called if the reference needs to be available from the current
   // point. It causes the receiver to be context allocated if necessary.
   // Returns the receiver variable that we're referencing.
-  V8_INLINE Variable* UseThis() {
-    DeclarationScope* closure_scope = scope()->GetClosureScope();
+  V8_INLINE void UseThis() {
+    Scope* scope = this->scope();
+    if (scope->is_reparsed()) return;
+    DeclarationScope* closure_scope = scope->GetClosureScope();
     DeclarationScope* receiver_scope = closure_scope->GetReceiverScope();
     Variable* var = receiver_scope->receiver();
     var->set_is_used();
@@ -1255,7 +1257,6 @@ class ParserBase {
       closure_scope->set_has_this_reference();
       var->ForceContextAllocation();
     }
-    return var;
   }
 
   V8_INLINE IdentifierT ParseAndClassifyIdentifier(Token::Value token);
diff --git a/test/mjsunit/regress/regress-crbug-371237564.js b/test/mjsunit/regress/regress-crbug-371237564.js
@@ -0,0 +1,19 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function test(val) {
+  function func() {
+    class Class extends func {
+      static {
+        super.m();
+      }
+      // An instance initializer between two static initializers is
+      // needed to trigger the regression.
+      [this] = val;
+      static 1;
+    }
+  }
+  func();
+}
+assertThrows(test);
