[CVE-2018-0775] Deferred parsing makes wrong scopes #2 - Google, Inc.

lib/Runtime/ByteCode/ByteCodeGenerator.cpp

@@ -1423,6 +1423,11 @@ FuncInfo * ByteCodeGenerator::StartBindFunction(const char16 *name, uint nameLen
         sym->SetPosition(parseableFunctionInfo->GetOrAddPropertyIdTracked(sym->GetName()));
 
         pnode->sxFnc.SetFuncSymbol(sym);
+
+        if (funcExprScope->GetIsObject())
+        {
+            funcExprScope->SetMustInstantiate(true);
+        }
     }
 
     Scope *paramScope = pnode->sxFnc.pnodeScopes ? pnode->sxFnc.pnodeScopes->sxBlock.scope : nullptr;

test/es6/function-expr-capture2.js

@@ -0,0 +1,11 @@
+eval(
+    '(function f() {' +
+    '     with({}) {' +
+    '         (function () {' +
+    '             return f;' +
+    '         })();' +
+    '     }' +
+    ' }());'
+);
+
+WScript.Echo('pass');

test/es6/rlexe.xml

@@ -1521,4 +1521,10 @@
     <files>function-expr-capture.js</files>
   </default>
 </test>
+<test>
+  <default>
+    <files>function-expr-capture2.js</files>
+    <compile-flags>-force:deferparse</compile-flags>
+  </default>
+</test>
 </regress-exe>