[v8-dev] [es6] Enforce TDZ checks for let/const in StoreLookupSlot (issue 1214733013 by [email protected])

Wed, 08 Jul 2015 12:26:08 -0700 

Reviewers: Dan Ehrenberg, rossberg,

Message:
PTAL

Description:
[es6] Enforce TDZ checks for let/const in StoreLookupSlot

With --harmony-sloppy we can get to a runtime store in the presence of
an eval. We therefor need to check that the value is not the hole which
is used to enforce TDZ.

BUG=v8:4284
LOG=N
[email protected], [email protected]

Please review this at https://codereview.chromium.org/1214733013/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+38, -29 lines):
  M src/runtime/runtime-scopes.cc
  M test/mjsunit/es6/block-let-semantics.js
  M test/mjsunit/harmony/block-let-semantics-sloppy.js


Index: src/runtime/runtime-scopes.cc
diff --git a/src/runtime/runtime-scopes.cc b/src/runtime/runtime-scopes.cc
index 953a09f16df7127c2654207571fe61cb483f3c59..b4506512a188e92ee9a02e341582a7fbe1ce30f6 100644 
--- a/src/runtime/runtime-scopes.cc
+++ b/src/runtime/runtime-scopes.cc
@@ -1026,6 +1026,12 @@ RUNTIME_FUNCTION(Runtime_StoreLookupSlot) {

   // The property was found in a context slot.
   if (index >= 0) {
+    if ((binding_flags == MUTABLE_CHECK_INITIALIZED ||
+         binding_flags == IMMUTABLE_CHECK_INITIALIZED_HARMONY) &&
+        Handle<Context>::cast(holder)->is_the_hole(index)) {
+      THROW_NEW_ERROR_RETURN_FAILURE(
+          isolate, NewReferenceError(MessageTemplate::kNotDefined, name));
+    }
     if ((attributes & READ_ONLY) == 0) {
       Handle<Context>::cast(holder)->set(index, *value);
     } else if (is_strict(language_mode)) {
Index: test/mjsunit/es6/block-let-semantics.js
diff --git a/test/mjsunit/es6/block-let-semantics.js b/test/mjsunit/es6/block-let-semantics.js index b0a826a007a84eaeac5c09c58c947b6de4b28972..5d4304169cfca386f0757d222480ec3f24d17d14 100644 
--- a/test/mjsunit/es6/block-let-semantics.js
+++ b/test/mjsunit/es6/block-let-semantics.js
@@ -85,20 +85,22 @@ TestAll('f()(); let x; function f() { return function() { ++x; } }'); 
 TestAll('f()(); let x; function f() { return function() { x++; } }');
TestAll('f()(); const x = 1; function f() { return function() { return x; } }'); 

-// Use before initialization with a dynamic lookup.
-TestAll('eval("x + 1;"); let x;');
-TestAll('eval("x = 1;"); let x;');
-TestAll('eval("x += 1;"); let x;');
-TestAll('eval("++x;"); let x;');
-TestAll('eval("x++;"); let x;');
-TestAll('eval("x"); const x = 1;');
-
-// Use before initialization with check for eval-shadowed bindings.
-TestAll('function f() { eval("var y = 2;"); x + 1; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); x = 1; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); x += 1; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); ++x; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); x++; }; f(); let x;');
+for (var kw of ['let', 'const']) {
+  // Use before initialization with a dynamic lookup.
+  TestAll(`eval("x"); ${kw} x = 2;`);
+  TestAll(`eval("x + 1;"); ${kw} x = 2;`);
+  TestAll(`eval("x = 1;"); ${kw} x = 2;`);
+  TestAll(`eval("x += 1;"); ${kw} x = 2;`);
+  TestAll(`eval("++x;"); ${kw} x = 2;`);
+  TestAll(`eval("x++;"); ${kw} x = 2;`);
+
+  // Use before initialization with check for eval-shadowed bindings.
+ TestAll(`function f() { eval("var y = 2;"); x + 1; }; f(); ${kw} x = 2;`); + TestAll(`function f() { eval("var y = 2;"); x = 1; }; f(); ${kw} x = 2;`); + TestAll(`function f() { eval("var y = 2;"); x += 1; }; f(); ${kw} x = 2;`); 
+  TestAll(`function f() { eval("var y = 2;"); ++x; }; f(); ${kw} x = 2;`);
+  TestAll(`function f() { eval("var y = 2;"); x++; }; f(); ${kw} x = 2;`);
+}

 // Test that variables introduced by function declarations are created and
 // initialized upon entering a function / block scope.
Index: test/mjsunit/harmony/block-let-semantics-sloppy.js
diff --git a/test/mjsunit/harmony/block-let-semantics-sloppy.js b/test/mjsunit/harmony/block-let-semantics-sloppy.js index 4a90a2fcd8ec3e6783e2256a1dc1c241ba4e7438..35aad30b1b1de55d24a0233263c2c855514468ab 100644 
--- a/test/mjsunit/harmony/block-let-semantics-sloppy.js
+++ b/test/mjsunit/harmony/block-let-semantics-sloppy.js
@@ -85,21 +85,22 @@ TestAll('f()(); let x; function f() { return function() { ++x; } }'); 
 TestAll('f()(); let x; function f() { return function() { x++; } }');
TestAll('f()(); const x = 1; function f() { return function() { return x; } }'); 

-// Use before initialization with a dynamic lookup.
-TestAll('eval("x + 1;"); let x;');
-TestAll('eval("x = 1;"); let x;');
-TestAll('eval("x += 1;"); let x;');
-TestAll('eval("++x;"); let x;');
-TestAll('eval("x++;"); let x;');
-TestAll('eval("x"); const x = 1;');
-
-// Use before initialization with check for eval-shadowed bindings.
-TestAll('function f() { eval("var y = 2;"); x + 1; }; f(); let x;');
-// TODO(arv): https://code.google.com/p/v8/issues/detail?id=4284
-// TestAll('function f() { eval("var y = 2;"); x = 1; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); x += 1; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); ++x; }; f(); let x;');
-TestAll('function f() { eval("var y = 2;"); x++; }; f(); let x;');
+for (var kw of ['let', 'const']) {
+  // Use before initialization with a dynamic lookup.
+  TestAll(`eval("x"); ${kw} x = 2;`);
+  TestAll(`eval("x + 1;"); ${kw} x = 2;`);
+  TestAll(`eval("x = 1;"); ${kw} x = 2;`);
+  TestAll(`eval("x += 1;"); ${kw} x = 2;`);
+  TestAll(`eval("++x;"); ${kw} x = 2;`);
+  TestAll(`eval("x++;"); ${kw} x = 2;`);
+
+  // Use before initialization with check for eval-shadowed bindings.
+ TestAll(`function f() { eval("var y = 2;"); x + 1; }; f(); ${kw} x = 2;`); + TestAll(`function f() { eval("var y = 2;"); x = 1; }; f(); ${kw} x = 2;`); + TestAll(`function f() { eval("var y = 2;"); x += 1; }; f(); ${kw} x = 2;`); 
+  TestAll(`function f() { eval("var y = 2;"); ++x; }; f(); ${kw} x = 2;`);
+  TestAll(`function f() { eval("var y = 2;"); x++; }; f(); ${kw} x = 2;`);
+}

 // Test that variables introduced by function declarations are created and
 // initialized upon entering a function / block scope.


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to