[MERGE #6193 @boingoing] Correctly handle named function expressions when saving ScopeInfo

Merge pull request #6193 from boingoing:fix_paramscopecapturesbodydecl_2

Previous fix for a similar issue #6157 didn't handle the case of a function expression in which the param and function expression scopes are merged with the body scope. In that case, the function defined in the param scope needs to have access to the body scope of the enclosing function.

Author: boingoing

lib/Parser/Parse.cpp

@@ -1973,6 +1973,20 @@ void Parser::BindPidRefsInScope(IdentPtr pid, Symbol *sym, int blockId, uint max
             }
         }
 
+        if (m_currentNodeFunc && m_currentNodeFunc->pnodeName && pid == m_currentNodeFunc->pnodeName->pid && !m_currentNodeFunc->IsDeclaration() && m_currentNodeFunc->IsBodyAndParamScopeMerged())
+        {
+            Scope* funcExprScope = m_currentNodeFunc->scope;
+            Assert(funcExprScope->GetScopeType() == ScopeType_FuncExpr);
+
+            ParseNodeBlock* bodyScope = m_currentNodeFunc->pnodeBodyScope;
+            Assert(bodyScope->blockType == PnodeBlockType::Function);
+
+            if (ref->GetScopeId() < bodyScope->blockId && ref->GetScopeId() > blockId)
+            {
+                funcExprScope->SetIsObject();
+            }
+        }
+
         if (ref->GetScopeId() == blockId)
         {
             break;
@@ -5378,9 +5392,14 @@ ParseNodeFnc * Parser::ParseFncDeclInternal(ushort flags, LPCOLESTR pNameHint, c
     pnodeFnc->SetIsModule(fModule);
     pnodeFnc->SetIsClassConstructor((flags & fFncClassConstructor) != 0);
     pnodeFnc->SetIsBaseClassConstructor((flags & fFncBaseClassConstructor) != 0);
-    pnodeFnc->SetIsDeclaredInParamScope(this->m_currentScope && this->m_currentScope->GetScopeType() == ScopeType_Parameter);
     pnodeFnc->SetHomeObjLocation(Js::Constants::NoRegister);
 
+    if (this->m_currentScope && this->m_currentScope->GetScopeType() == ScopeType_Parameter)
+    {
+        pnodeFnc->SetIsDeclaredInParamScope();
+        this->m_currentScope->SetHasNestedParamFunc();
+    }
+
     IdentPtr pFncNamePid = nullptr;
     bool needScanRCurly = true;
     ParseFncDeclHelper<buildAST>(pnodeFnc, pNameHint, flags, fUnaryOrParen, noStmtContext, &needScanRCurly, fModule, &pFncNamePid, fAllowIn);

lib/Runtime/ByteCode/ByteCodeEmitter.cpp

@@ -3481,8 +3481,6 @@ void ByteCodeGenerator::EmitScopeList(ParseNode *pnode, ParseNode *breakOnBodySc
                 }
                 this->StartEmitFunction(pnode->AsParseNodeFnc());
 
-                PushFuncInfo(_u("StartEmitFunction"), funcInfo);
-
                 if (!funcInfo->IsBodyAndParamScopeMerged())
                 {
                     this->EmitScopeList(pnode->AsParseNodeFnc()->pnodeBodyScope->pnodeScopes);
@@ -3886,6 +3884,8 @@ void ByteCodeGenerator::StartEmitFunction(ParseNodeFnc *pnodeFnc)
         }
     }
 
+    PushFuncInfo(_u("StartEmitFunction"), funcInfo);
+
     if (!funcInfo->IsBodyAndParamScopeMerged())
     {
         ParseNodeBlock * paramBlock = pnodeFnc->pnodeScopes;

lib/Runtime/ByteCode/ByteCodeGenerator.cpp

@@ -1840,7 +1840,7 @@ FuncInfo *ByteCodeGenerator::FindEnclosingNonLambda()
     return nullptr;
 }
 
-FuncInfo* GetParentFuncInfo(FuncInfo* child)
+FuncInfo* ByteCodeGenerator::GetParentFuncInfo(FuncInfo* child)
 {
     for (Scope* scope = child->GetBodyScope(); scope; scope = scope->GetEnclosingScope())
     {
@@ -1853,6 +1853,19 @@ FuncInfo* GetParentFuncInfo(FuncInfo* child)
     return nullptr;
 }
 
+FuncInfo* ByteCodeGenerator::GetEnclosingFuncInfo()
+{
+    FuncInfo* top = this->funcInfoStack->Pop();
+
+    Assert(!this->funcInfoStack->Empty());
+
+    FuncInfo* second = this->funcInfoStack->Top();
+
+    this->funcInfoStack->Push(top);
+
+    return second;
+}
+
 bool ByteCodeGenerator::CanStackNestedFunc(FuncInfo * funcInfo, bool trace)
 {
 #if ENABLE_DEBUG_CONFIG_OPTIONS
@@ -2634,7 +2647,7 @@ void AssignFuncSymRegister(ParseNodeFnc * pnodeFnc, ByteCodeGenerator * byteCode
                 Assert(byteCodeGenerator->GetCurrentScope()->GetFunc() == sym->GetScope()->GetFunc());
                 if (byteCodeGenerator->GetCurrentScope()->GetFunc() != sym->GetScope()->GetFunc())
                 {
-                    Assert(GetParentFuncInfo(byteCodeGenerator->GetCurrentScope()->GetFunc()) == sym->GetScope()->GetFunc());
+                    Assert(ByteCodeGenerator::GetParentFuncInfo(byteCodeGenerator->GetCurrentScope()->GetFunc()) == sym->GetScope()->GetFunc());
                     sym->GetScope()->SetMustInstantiate(true);
                     byteCodeGenerator->ProcessCapturedSym(sym);
                     sym->GetScope()->GetFunc()->SetHasLocalInClosure(true);

lib/Runtime/ByteCode/ByteCodeGenerator.h

@@ -402,6 +402,8 @@ class ByteCodeGenerator
     void PopulateFormalsScope(uint beginOffset, FuncInfo *funcInfo, ParseNodeFnc *pnodeFnc);
     void InsertPropertyToDebuggerScope(FuncInfo* funcInfo, Js::DebuggerScope* debuggerScope, Symbol* sym);
     FuncInfo *FindEnclosingNonLambda();
+    static FuncInfo* GetParentFuncInfo(FuncInfo* child);
+    FuncInfo* GetEnclosingFuncInfo();
 
     bool CanStackNestedFunc(FuncInfo * funcInfo, bool trace = false);
     void CheckDeferParseHasMaybeEscapedNestedFunc();

lib/Runtime/ByteCode/Scope.h

@@ -41,6 +41,7 @@ class Scope
     BYTE canMergeWithBodyScope : 1;
     BYTE hasLocalInClosure : 1;
     BYTE isBlockInLoop : 1;
+    BYTE hasNestedParamFunc : 1;
 public:
 #if DBG
     BYTE isRestored : 1;
@@ -60,6 +61,7 @@ class Scope
         canMergeWithBodyScope(true),
         hasLocalInClosure(false),
         isBlockInLoop(false),
+        hasNestedParamFunc(false),
         location(Js::Constants::NoRegister),
         m_symList(nullptr),
         m_count(0),
@@ -252,6 +254,9 @@ class Scope
     void SetIsBlockInLoop(bool is = true) { isBlockInLoop = is; }
     bool IsBlockInLoop() const { return isBlockInLoop; }
 
+    void SetHasNestedParamFunc(bool is = true) { hasNestedParamFunc = is; }
+    bool GetHasNestedParamFunc() const { return hasNestedParamFunc; }
+
     bool HasInnerScopeIndex() const { return innerScopeIndex != (uint)-1; }
     uint GetInnerScopeIndex() const { return innerScopeIndex; }
     void SetInnerScopeIndex(uint index) { innerScopeIndex = index; }

lib/Runtime/ByteCode/ScopeInfo.cpp

@@ -112,8 +112,17 @@ namespace Js
     ScopeInfo * ScopeInfo::SaveScopeInfo(ByteCodeGenerator* byteCodeGenerator, Scope * scope, ScriptContext * scriptContext)
     {
         // Advance past scopes that will be excluded from the closure environment. (But note that we always want the body scope.)
-        while (scope && (!scope->GetMustInstantiate() && scope != scope->GetFunc()->GetBodyScope()))
+        while (scope)
         {
+            FuncInfo* func = scope->GetFunc();
+
+            if (scope->GetMustInstantiate() ||
+                func->GetBodyScope() == scope ||
+                (func->GetParamScope() == scope && func->IsBodyAndParamScopeMerged() && scope->GetHasNestedParamFunc()))
+            {
+                break;
+            }
+
             scope = scope->GetEnclosingScope();
         }
 
@@ -162,13 +171,12 @@ namespace Js
         Scope* currentScope = byteCodeGenerator->GetCurrentScope();
         Assert(currentScope->GetFunc() == funcInfo);
 
-// Disable the below temporarily because of bad interaction with named function expressions
-#if 0
-        if (funcInfo->root->IsDeclaredInParamScope()) {
+        if (funcInfo->root->IsDeclaredInParamScope())
+        {
             Assert(currentScope->GetScopeType() == ScopeType_FunctionBody);
             Assert(currentScope->GetEnclosingScope());
 
-            FuncInfo* func = currentScope->GetEnclosingScope()->GetFunc();
+            FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo();
             Assert(func);
 
             if (func->IsBodyAndParamScopeMerged())
@@ -178,7 +186,6 @@ namespace Js
                 Assert(!currentScope->GetMustInstantiate());
             }
         }
-#endif
 
         while (currentScope->GetFunc() == funcInfo)
         {

test/Bugs/bug_OS18926499.js

@@ -3,23 +3,130 @@
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 
-function foo(a = (()=>+x)()) {
-    function bar() { eval(''); }
-    var x;
-}
+let throwingFunctions = [{
+    msg: "Split-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            function bar() { eval(''); }
+            var x;
+          }
+},
+{
+    msg: "Split-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            eval('');
+            var x;
+          }
+},
+{
+    msg: "Merged-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = () => +x) {
+            var x = 1;
+            return a();
+          }
+},
+{
+    msg: "Merged-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            var x;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            var x = 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            eval('');
+            var x = 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            function bar() { eval(''); }
+            var x = 123;
+          }
+},
+{
+    msg: "Param-scope func expr child with nested func expr capturing symbol from parent body scope",
+    body: foo5 = function foo5a(a = (function(){(function(b = 123) { +x; })()})()) {
+                    function bar() { eval(''); }
+                    var x;
+                 }
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { +x; })()){})()){})()){ var x;}
+}];
 
-try {
-    foo();
-    console.log('fail');
-} catch {
-    console.log("pass");
-}
+let nonThrowingFunctions = [{
+    msg: "Func expr parent, param-scope func expr child capturing parent func expr name",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3a; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing own func expr name",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3b; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing expression name hint",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing parent argument name",
+    body: foo3 = function foo3a(b = 123, a = (function foo3b() { return +b; })()) {
+            if (123 !== a) throw 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(b = 123, a = (function foo3b() { return +b; })()) {
+            if (123 !== a) throw 123;
+          }
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3d; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3c; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3b; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3a; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3; })()){})()){})()){}
+}];
 
-function foo2(a = () => x) { var x = 1; return a(); }
+for (let fn of throwingFunctions) {
+    try {
+        fn.body();
+        console.log(`fail: ${fn.msg}`);
+    } catch {
+        console.log("pass");
+    }
+}
 
-try {
-    foo2()
-    console.log('fail');
-} catch {
-    console.log('pass');
+for (let fn of nonThrowingFunctions) {
+    try {
+        fn.body();
+        console.log("pass");
+    } catch {
+        console.log(`fail: ${fn.msg}`);
+    }
 }

test/Bugs/rlexe.xml

@@ -582,15 +582,12 @@
       <compile-flags>-args summary -endargs</compile-flags>
     </default>
   </test>
-<!--
-Re-enable after fixing ScopeInfo::SaveEnclosingScopeInfo to handle named function expressions
   <test>
     <default>
       <files>bug_OS18926499.js</files>
       <compile-flags>-force:deferparse</compile-flags>
     </default>
   </test>
--->
   <test>
     <default>
       <files>Bug19767482.js</files>