Support function expression with param scope functions capturing function expression name

boingoing · boingoing · commit adfb5cc5aaeb · 2019-08-01T14:01:35.000-07:00
diff --git a/lib/Parser/Parse.cpp b/lib/Parser/Parse.cpp
@@ -1826,6 +1826,26 @@ void Parser::FinishParseBlock(ParseNodeBlock *pnodeBlock, bool needScanRCurly)
     }
 }
 
+void CheckFncExprNameCapturedInParamScope(ParseNodeFnc* pnodeFnc, ParseNodeBlock* pnodeFncExprScope)
+{
+    ParseNodeBlock* bodyScope = pnodeFnc->pnodeBodyScope;
+    ParseNodePtr pnodeName = pnodeFnc->pnodeName;
+
+    if (bodyScope == nullptr || pnodeName == nullptr || !pnodeFnc->IsBodyAndParamScopeMerged())
+    {
+        return;
+    }
+
+    for (PidRefStack* ref = pnodeName->AsParseNodeVar()->pid->GetTopRef(); ref && ref->id > pnodeFncExprScope->blockId; ref = ref->prev)
+    {
+        if (ref->id < bodyScope->blockId && ref->id > pnodeFncExprScope->blockId)
+        {
+            pnodeFncExprScope->scope->SetIsObject();
+            return;
+        }
+    }
+}
+
 void Parser::FinishParseFncExprScope(ParseNodeFnc * pnodeFnc, ParseNodeBlock * pnodeFncExprScope)
 {
     int fncExprScopeId = pnodeFncExprScope->blockId;
@@ -5378,9 +5398,14 @@ ParseNodeFnc * Parser::ParseFncDeclInternal(ushort flags, LPCOLESTR pNameHint, c
     pnodeFnc->SetIsModule(fModule);
     pnodeFnc->SetIsClassConstructor((flags & fFncClassConstructor) != 0);
     pnodeFnc->SetIsBaseClassConstructor((flags & fFncBaseClassConstructor) != 0);
-    pnodeFnc->SetIsDeclaredInParamScope(this->m_currentScope && this->m_currentScope->GetScopeType() == ScopeType_Parameter);
     pnodeFnc->SetHomeObjLocation(Js::Constants::NoRegister);
 
+    if (this->m_currentScope && this->m_currentScope->GetScopeType() == ScopeType_Parameter)
+    {
+        pnodeFnc->SetIsDeclaredInParamScope();
+        this->m_currentScope->SetHasNestedParamFunc();
+    }
+
     IdentPtr pFncNamePid = nullptr;
     bool needScanRCurly = true;
     ParseFncDeclHelper<buildAST>(pnodeFnc, pNameHint, flags, fUnaryOrParen, noStmtContext, &needScanRCurly, fModule, &pFncNamePid, fAllowIn);
@@ -6013,6 +6038,11 @@ void Parser::ParseFncDeclHelper(ParseNodeFnc * pnodeFnc, LPCOLESTR pNameHint, us
 
         if (pnodeBlock)
         {
+            if (pnodeFncExprScope)
+            {
+                CheckFncExprNameCapturedInParamScope(pnodeFnc, pnodeFncExprScope);
+            }
+
             FinishParseBlock(pnodeBlock, *pNeedScanRCurly);
         }
 
diff --git a/lib/Runtime/ByteCode/Scope.h b/lib/Runtime/ByteCode/Scope.h
@@ -41,6 +41,7 @@ class Scope
     BYTE canMergeWithBodyScope : 1;
     BYTE hasLocalInClosure : 1;
     BYTE isBlockInLoop : 1;
+    BYTE hasNestedParamFunc : 1;
 public:
 #if DBG
     BYTE isRestored : 1;
@@ -60,6 +61,7 @@ class Scope
         canMergeWithBodyScope(true),
         hasLocalInClosure(false),
         isBlockInLoop(false),
+        hasNestedParamFunc(false),
         location(Js::Constants::NoRegister),
         m_symList(nullptr),
         m_count(0),
@@ -252,6 +254,9 @@ class Scope
     void SetIsBlockInLoop(bool is = true) { isBlockInLoop = is; }
     bool IsBlockInLoop() const { return isBlockInLoop; }
 
+    void SetHasNestedParamFunc(bool is = true) { hasNestedParamFunc = is; }
+    bool GetHasNestedParamFunc() const { return hasNestedParamFunc; }
+
     bool HasInnerScopeIndex() const { return innerScopeIndex != (uint)-1; }
     uint GetInnerScopeIndex() const { return innerScopeIndex; }
     void SetInnerScopeIndex(uint index) { innerScopeIndex = index; }
diff --git a/lib/Runtime/ByteCode/ScopeInfo.cpp b/lib/Runtime/ByteCode/ScopeInfo.cpp
@@ -112,8 +112,17 @@ namespace Js
     ScopeInfo * ScopeInfo::SaveScopeInfo(ByteCodeGenerator* byteCodeGenerator, Scope * scope, ScriptContext * scriptContext)
     {
         // Advance past scopes that will be excluded from the closure environment. (But note that we always want the body scope.)
-        while (scope && (!scope->GetMustInstantiate() && scope != scope->GetFunc()->GetBodyScope()))
+        while (scope)
         {
+            FuncInfo* func = scope->GetFunc();
+
+            if (scope->GetMustInstantiate() ||
+                func->GetBodyScope() == scope ||
+                (func->GetParamScope() == scope && func->IsBodyAndParamScopeMerged() && scope->GetHasNestedParamFunc()))
+            {
+                break;
+            }
+
             scope = scope->GetEnclosingScope();
         }
 
@@ -162,14 +171,15 @@ namespace Js
         Scope* currentScope = byteCodeGenerator->GetCurrentScope();
         Assert(currentScope->GetFunc() == funcInfo);
 
-        if (funcInfo->root->IsDeclaredInParamScope()) {
+        if (funcInfo->root->IsDeclaredInParamScope())
+        {
             Assert(currentScope->GetScopeType() == ScopeType_FunctionBody);
             Assert(currentScope->GetEnclosingScope());
 
             FuncInfo* func = byteCodeGenerator->GetEnclosingFuncInfo();
             Assert(func);
 
-            if (func->IsBodyAndParamScopeMerged() && !(func->funcExprScope && func->funcExprScope->GetCanMerge()))
+            if (func->IsBodyAndParamScopeMerged())
             {
                 currentScope = func->GetParamScope();
                 Assert(currentScope->GetScopeType() == ScopeType_Parameter);
diff --git a/test/Bugs/bug_OS18926499.js b/test/Bugs/bug_OS18926499.js
@@ -3,92 +3,130 @@
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 
-function foo(a = (()=>+x)()) {
-    function bar() { eval(''); }
-    var x;
+let throwingFunctions = [{
+    msg: "Split-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            function bar() { eval(''); }
+            var x;
+          }
+},
+{
+    msg: "Split-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            eval('');
+            var x;
+          }
+},
+{
+    msg: "Merged-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = () => +x) {
+            var x = 1;
+            return a();
+          }
+},
+{
+    msg: "Merged-scope parent, param-scope child capturing symbol from parent body scope",
+    body: function foo(a = (()=>+x)()) {
+            var x;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            var x = 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            eval('');
+            var x = 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(a = (function foo3b() { return +x; })()) {
+            function bar() { eval(''); }
+            var x = 123;
+          }
+},
+{
+    msg: "Param-scope func expr child with nested func expr capturing symbol from parent body scope",
+    body: foo5 = function foo5a(a = (function(){(function(b = 123) { +x; })()})()) {
+                    function bar() { eval(''); }
+                    var x;
+                 }
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { +x; })()){})()){})()){ var x;}
+}];
+
+let nonThrowingFunctions = [{
+    msg: "Func expr parent, param-scope func expr child capturing parent func expr name",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3a; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing own func expr name",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3b; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing expression name hint",
+    body: foo3 = function foo3a(a = (function foo3b() { +foo3; })()) {
+            return +a;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing parent argument name",
+    body: foo3 = function foo3a(b = 123, a = (function foo3b() { return +b; })()) {
+            if (123 !== a) throw 123;
+          }
+},
+{
+    msg: "Func expr parent, param-scope func expr child capturing symbol from parent body scope",
+    body: foo3 = function foo3a(b = 123, a = (function foo3b() { return +b; })()) {
+            if (123 !== a) throw 123;
+          }
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3d; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3c; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3b; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3a; })()){})()){})()){}
+},
+{
+    msg: "Multiple nested func expr, inner param-scope function capturing outer func expr name",
+    body: foo3 = function foo3a(a = (function foo3b(b = (function foo3c(c = (function foo3d() { foo3; })()){})()){})()){}
+}];
+
+for (let fn of throwingFunctions) {
+    try {
+        fn.body();
+        console.log(`fail: ${fn.msg}`);
+    } catch {
+        console.log("pass");
+    }
 }
 
-try {
-    foo();
-    console.log('fail');
-} catch {
-    console.log("pass");
-}
-
-function foo2(a = () => x) { var x = 1; return a(); }
-
-try {
-    foo2()
-    console.log('fail');
-} catch {
-    console.log('pass');
-}
-
-var foo3 = function foo3a(a = (function foo3b() { +foo3a; })()) {
-    a;
-};
-
-try {
-    foo3()
-    console.log('pass');
-} catch {
-    console.log('fail');
-}
-
-var foo4 = function foo4a(a = (function() { +x; })()) {
-    function bar() { eval(''); }
-    var x;
-};
-
-try {
-    foo4()
-    console.log('fail');
-} catch {
-    console.log('pass');
-}
-
-var foo5 = function foo5a(a = (function(){(function(b = 123) { +x; })()})()) {
-    function bar() { eval(''); }
-    var x;
-};
-
-try {
-    foo5();
-    console.log('fail');
-} catch {
-    console.log('pass');
-}
-
-function foo6(a, b = (function() {a; +x;})()) {
-    function bar() { eval(''); }
-    var x;
-};
-
-try {
-    foo6();
-    console.log('fail');
-} catch {
-    console.log('pass');
-}
-
-var foo8 = function foo8a(b, a = (function foo8b() { console.log(x); })()) {
-    a;
-    var x = 'fail';
-};
-
-try {
-    foo8()
-    console.log('fail');
-} catch {
-    console.log('pass');
-}
-
-var foo9 = function foo9a(b = 'pass', a = (function foo9b() { console.log(b); })()) {
-};
-
-try {
-    foo9()
-    console.log('pass');
-} catch {
-    console.log('fail');
+for (let fn of nonThrowingFunctions) {
+    try {
+        fn.body();
+        console.log("pass");
+    } catch {
+        console.log(`fail: ${fn.msg}`);
+    }
 }
