Title: [201293] trunk/Source/_javascript_Core
- Revision
- 201293
- Author
- [email protected]
- Date
- 2016-05-23 13:27:28 -0700 (Mon, 23 May 2016)
Log Message
String template don't handle let initialization properly inside eval
https://bugs.webkit.org/show_bug.cgi?id=157991
Reviewed by Oliver Hunt.
The fix is to make sure we emit TDZ checks.
* bytecompiler/NodesCodegen.cpp:
(JSC::TaggedTemplateNode::emitBytecode):
* tests/stress/tagged-template-tdz.js: Added.
(shouldThrowTDZ):
(test):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (201292 => 201293)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-23 20:25:03 UTC (rev 201292)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-23 20:27:28 UTC (rev 201293)
@@ -1,3 +1,18 @@
+2016-05-23 Saam barati <[email protected]>
+
+ String template don't handle let initialization properly inside eval
+ https://bugs.webkit.org/show_bug.cgi?id=157991
+
+ Reviewed by Oliver Hunt.
+
+ The fix is to make sure we emit TDZ checks.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::TaggedTemplateNode::emitBytecode):
+ * tests/stress/tagged-template-tdz.js: Added.
+ (shouldThrowTDZ):
+ (test):
+
2016-05-22 Saam barati <[email protected]>
Unreviewed. Fixed debug assertion failures from r201235.
Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (201292 => 201293)
--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2016-05-23 20:25:03 UTC (rev 201292)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2016-05-23 20:27:28 UTC (rev 201293)
@@ -292,9 +292,10 @@
expectedFunction = generator.expectedFunctionForIdentifier(identifier);
Variable var = generator.variable(identifier);
- if (RegisterID* local = var.local())
+ if (RegisterID* local = var.local()) {
+ generator.emitTDZCheckIfNecessary(var, local, nullptr);
tag = generator.emitMove(generator.newTemporary(), local);
- else {
+ } else {
tag = generator.newTemporary();
base = generator.newTemporary();
@@ -302,6 +303,7 @@
generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
generator.moveToDestinationIfNeeded(base.get(), generator.emitResolveScope(base.get(), var));
generator.emitGetFromScope(tag.get(), base.get(), var, ThrowIfNotFound);
+ generator.emitTDZCheckIfNecessary(var, tag.get(), nullptr);
}
} else if (m_tag->isBracketAccessorNode()) {
BracketAccessorNode* bracket = static_cast<BracketAccessorNode*>(m_tag);
Added: trunk/Source/_javascript_Core/tests/stress/tagged-template-tdz.js (0 => 201293)
--- trunk/Source/_javascript_Core/tests/stress/tagged-template-tdz.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/tagged-template-tdz.js 2016-05-23 20:27:28 UTC (rev 201293)
@@ -0,0 +1,51 @@
+function shouldThrowTDZ(func) {
+ let hasThrown = false;
+ try {
+ func();
+ } catch(e) {
+ if (e.name.indexOf("ReferenceError") !== -1)
+ hasThrown = true;
+ }
+ if (!hasThrown)
+ throw new Error("Did not throw TDZ error");
+}
+noInline(shouldThrowTDZ);
+
+function test(f) {
+ for (let i = 0; i < 1000; i++)
+ f();
+}
+
+test(function() {
+ shouldThrowTDZ(function() {
+ (a)``;
+ let a;
+ });
+});
+
+test(function() {
+ shouldThrowTDZ(function() {
+ (a)``;
+ let a;
+ function capture() { return a; }
+ });
+});
+
+test(function() {
+ shouldThrowTDZ(()=> { (a)``; });
+ let a;
+});
+
+test(function() {
+ shouldThrowTDZ(()=> { eval("(a)``"); });
+ let a;
+});
+
+
+test(function() {
+ shouldThrowTDZ(()=> { (globalLet)``; });
+});
+test(function() {
+ shouldThrowTDZ(()=> { eval("(globalLet)``;")});
+});
+let globalLet;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
