Title: [240371] branches/safari-607-branch
- Revision
- 240371
- Author
- [email protected]
- Date
- 2019-01-23 17:20:52 -0800 (Wed, 23 Jan 2019)
Log Message
Cherry-pick r239961. rdar://problem/47458424
[BigInt] Literal parsing is crashing when used inside a Object Literal
https://bugs.webkit.org/show_bug.cgi?id=193404
Reviewed by Yusuke Suzuki.
JSTests:
* stress/big-int-literal-inside-literal-object.js: Added.
Source/_javascript_Core:
Former implementation was relying into token.m_data.radix after the
call of `next()` into Parser.cpp. This is not safe because next
clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
Now we get radix value before calling `next()` into parser and store
in a local variable.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parsePrimaryExpression):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/JSTests/ChangeLog (240370 => 240371)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-01-24 01:17:46 UTC (rev 240370)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-01-24 01:20:52 UTC (rev 240371)
@@ -1,3 +1,39 @@
+2019-01-23 Alan Coon <[email protected]>
+
+ Cherry-pick r239961. rdar://problem/47458424
+
+ [BigInt] Literal parsing is crashing when used inside a Object Literal
+ https://bugs.webkit.org/show_bug.cgi?id=193404
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/big-int-literal-inside-literal-object.js: Added.
+
+ Source/_javascript_Core:
+
+ Former implementation was relying into token.m_data.radix after the
+ call of `next()` into Parser.cpp. This is not safe because next
+ clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
+ Now we get radix value before calling `next()` into parser and store
+ in a local variable.
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parsePrimaryExpression):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-14 Caio Lima <[email protected]>
+
+ [BigInt] Literal parsing is crashing when used inside a Object Literal
+ https://bugs.webkit.org/show_bug.cgi?id=193404
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/big-int-literal-inside-literal-object.js: Added.
+
2019-01-15 Alan Coon <[email protected]>
Cherry-pick r239882. rdar://problem/47260361
Added: branches/safari-607-branch/JSTests/stress/big-int-literal-inside-literal-object.js (0 => 240371)
--- branches/safari-607-branch/JSTests/stress/big-int-literal-inside-literal-object.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/big-int-literal-inside-literal-object.js 2019-01-24 01:20:52 UTC (rev 240371)
@@ -0,0 +1,21 @@
+//@ runBigIntEnabled
+
+var assert = {
+ sameValue: function (input, expected) {
+ if (input !== expected)
+ throw new Error('Expected: ' + expected + ' but got: ' + input);
+ }
+};
+
+var x = {y:1n}
+assert.sameValue(x.y, 1n);
+
+x = {y:{z:1n}};
+assert.sameValue(x.y.z, 1n);
+
+x = {y:-1212n}
+assert.sameValue(x.y, -1212n);
+
+x = {y:{z:-22312n}};
+assert.sameValue(x.y.z, -22312n);
+
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (240370 => 240371)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-01-24 01:17:46 UTC (rev 240370)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-01-24 01:20:52 UTC (rev 240371)
@@ -1,3 +1,46 @@
+2019-01-23 Alan Coon <[email protected]>
+
+ Cherry-pick r239961. rdar://problem/47458424
+
+ [BigInt] Literal parsing is crashing when used inside a Object Literal
+ https://bugs.webkit.org/show_bug.cgi?id=193404
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/big-int-literal-inside-literal-object.js: Added.
+
+ Source/_javascript_Core:
+
+ Former implementation was relying into token.m_data.radix after the
+ call of `next()` into Parser.cpp. This is not safe because next
+ clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
+ Now we get radix value before calling `next()` into parser and store
+ in a local variable.
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parsePrimaryExpression):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-14 Caio Lima <[email protected]>
+
+ [BigInt] Literal parsing is crashing when used inside a Object Literal
+ https://bugs.webkit.org/show_bug.cgi?id=193404
+
+ Reviewed by Yusuke Suzuki.
+
+ Former implementation was relying into token.m_data.radix after the
+ call of `next()` into Parser.cpp. This is not safe because next
+ clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE).
+ Now we get radix value before calling `next()` into parser and store
+ in a local variable.
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parsePrimaryExpression):
+
2019-01-15 Alan Coon <[email protected]>
Cherry-pick r239904. rdar://problem/4726030
Modified: branches/safari-607-branch/Source/_javascript_Core/parser/Parser.cpp (240370 => 240371)
--- branches/safari-607-branch/Source/_javascript_Core/parser/Parser.cpp 2019-01-24 01:17:46 UTC (rev 240370)
+++ branches/safari-607-branch/Source/_javascript_Core/parser/Parser.cpp 2019-01-24 01:20:52 UTC (rev 240371)
@@ -4518,9 +4518,10 @@
}
case BIGINT: {
const Identifier* ident = m_token.m_data.bigIntString;
+ uint8_t radix = m_token.m_data.radix;
JSTokenLocation location(tokenLocation());
next();
- return context.createBigInt(location, ident, m_token.m_data.radix);
+ return context.createBigInt(location, ident, radix);
}
case STRING: {
const Identifier* ident = m_token.m_data.ident;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
