[webkit-changes] [234416] releases/WebKitGTK/webkit-2.20

Tue, 31 Jul 2018 02:26:17 -0700

Title: [234416] releases/WebKitGTK/webkit-2.20
Revision
234416
Author
[email protected]
Date
2018-07-31 02:25:02 -0700 (Tue, 31 Jul 2018)

Log Message

Merge r232219 - for-in loops should preserve and restore the TDZ stack for each of its internal loops.
https://bugs.webkit.org/show_bug.cgi?id=185995
<rdar://problem/40173142>

Reviewed by Saam Barati.

JSTests:

* stress/regress-185995.js: Added.

Source/_javascript_Core:

This is because there's no guarantee that any of the loop bodies will be
executed.  Hence, there's no guarantee that the TDZ variables will have been
initialized after each loop body.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::preserveTDZStack):
(JSC::BytecodeGenerator::restoreTDZStack):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitBytecode):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (234415 => 234416)


--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 09:24:56 UTC (rev 234415)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-07-31 09:25:02 UTC (rev 234416)
@@ -1,3 +1,13 @@
+2018-05-25  Mark Lam  <[email protected]>
+
+        for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+        https://bugs.webkit.org/show_bug.cgi?id=185995
+        <rdar://problem/40173142>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-185995.js: Added.
+
 2018-04-28  Saam Barati  <[email protected]>
 
         We don't model regexp effects properly

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/regress-185995.js (0 => 234416)


--- releases/WebKitGTK/webkit-2.20/JSTests/stress/regress-185995.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/regress-185995.js	2018-07-31 09:25:02 UTC (rev 234416)
@@ -0,0 +1,13 @@
+(function() {
+    var exception;
+    try {
+        var list = { 'a' : 5 };
+        for(const { x = x } in list)
+            x();
+    } catch (e) {
+        exception = e;
+    }
+
+    if (exception != "ReferenceError: Cannot access uninitialized variable.")
+        throw "FAILED";
+})();

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (234415 => 234416)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 09:24:56 UTC (rev 234415)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-07-31 09:25:02 UTC (rev 234416)
@@ -1,3 +1,22 @@
+2018-05-25  Mark Lam  <[email protected]>
+
+        for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+        https://bugs.webkit.org/show_bug.cgi?id=185995
+        <rdar://problem/40173142>
+
+        Reviewed by Saam Barati.
+
+        This is because there's no guarantee that any of the loop bodies will be
+        executed.  Hence, there's no guarantee that the TDZ variables will have been
+        initialized after each loop body.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::preserveTDZStack):
+        (JSC::BytecodeGenerator::restoreTDZStack):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ForInNode::emitBytecode):
+
 2018-05-08  Michael Saboff  <[email protected]>
 
         Deferred firing of structure transition watchpoints is racy

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (234415 => 234416)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2018-07-31 09:24:56 UTC (rev 234415)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2018-07-31 09:25:02 UTC (rev 234416)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <[email protected]>
  * Copyright (C) 2012 Igalia, S.L.
  *
@@ -3114,6 +3114,16 @@
     }
 }
 
+void BytecodeGenerator::preserveTDZStack(BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+    preservedStack.m_preservedTDZStack = m_TDZStack;
+}
+
+void BytecodeGenerator::restoreTDZStack(const BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+    m_TDZStack = preservedStack.m_preservedTDZStack;
+}
+
 RegisterID* BytecodeGenerator::emitNewObject(RegisterID* dst)
 {
     size_t begin = instructions().size();

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (234415 => 234416)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2018-07-31 09:24:56 UTC (rev 234415)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2018-07-31 09:25:02 UTC (rev 234416)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <[email protected]>
  * Copyright (C) 2012 Igalia, S.L.
  *
@@ -1090,6 +1090,13 @@
         void initializeArrowFunctionContextScopeIfNeeded(SymbolTable* functionSymbolTable = nullptr, bool canReuseLexicalEnvironment = false);
         bool needsDerivedConstructorInArrowFunctionLexicalEnvironment();
 
+        enum class TDZNecessityLevel {
+            NotNeeded,
+            Optimize,
+            DoNotOptimize
+        };
+        typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
     public:
         JSString* addStringConstant(const Identifier&);
         JSValue addBigIntConstant(const Identifier&, uint8_t radix);
@@ -1099,6 +1106,15 @@
 
         RegisterID* emitThrowExpressionTooDeepException();
 
+        class PreservedTDZStack {
+        private:
+            Vector<TDZMap> m_preservedTDZStack;
+            friend class BytecodeGenerator;
+        };
+
+        void preserveTDZStack(PreservedTDZStack&);
+        void restoreTDZStack(const PreservedTDZStack&);
+
     private:
         Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow> m_instructions;
 
@@ -1111,12 +1127,7 @@
             int m_symbolTableConstantIndex;
         };
         Vector<LexicalScopeStackEntry> m_lexicalScopeStack;
-        enum class TDZNecessityLevel {
-            NotNeeded,
-            Optimize,
-            DoNotOptimize
-        };
-        typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
         Vector<TDZMap> m_TDZStack;
         std::optional<size_t> m_varScopeLexicalScopeStackIndex;
         void pushTDZVariables(const VariableEnvironment&, TDZCheckOptimization, TDZRequirement);

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (234415 => 234416)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2018-07-31 09:24:56 UTC (rev 234415)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2018-07-31 09:25:02 UTC (rev 234416)
@@ -3006,6 +3006,9 @@
 
     enumerator = generator.emitGetPropertyEnumerator(generator.newTemporary(), base.get());
 
+    BytecodeGenerator::PreservedTDZStack preservedTDZStack;
+    generator.preserveTDZStack(preservedTDZStack);
+
     // Indexed property loop.
     {
         Ref<LabelScope> scope = generator.newLabelScope(LabelScope::Loop);
@@ -3045,6 +3048,7 @@
         generator.emitJump(end.get());
         generator.emitLabel(loopEnd.get());
     }
+    generator.restoreTDZStack(preservedTDZStack);
 
     // Structure property loop.
     {
@@ -3085,6 +3089,7 @@
         generator.emitJump(end.get());
         generator.emitLabel(loopEnd.get());
     }
+    generator.restoreTDZStack(preservedTDZStack);
 
     // Generic property loop.
     {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to