[webkit-changes] [246549] trunk

[keith_miller]

Title: [246549] trunk

Revision

246549

Author

keith_mil...@apple.com

Date

2019-06-18 10:26:07 -0700 (Tue, 18 Jun 2019)

Log Message

MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
https://bugs.webkit.org/show_bug.cgi?id=198969
<rdar://problem/51620714>

Reviewed by Tadeu Zagallo.

JSTests:

* stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
(catch):

Source/_javascript_Core:

Sometimes if the parser has enough nested scopes
MaybeParseAsGeneratorForScope can lose track of the ScopeRef it
should be tracking. This is because the parser sometimes relocates
its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should
hold the scope ref it's watching.

* parser/Parser.cpp:
(JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
(JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/parser/Parser.cpp

Added Paths

• trunk/JSTests/stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js

Diff

Modified: trunk/JSTests/ChangeLog (246548 => 246549)

--- trunk/JSTests/ChangeLog	2019-06-18 17:20:10 UTC (rev 246548)
+++ trunk/JSTests/ChangeLog	2019-06-18 17:26:07 UTC (rev 246549)
@@ -1,3 +1,14 @@
+2019-06-18  Keith Miller  <keith_mil...@apple.com>
+
+        MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
+        https://bugs.webkit.org/show_bug.cgi?id=198969
+        <rdar://problem/51620714>
+
+        Reviewed by Tadeu Zagallo.
+
+        * stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js: Added.
+        (catch):
+
 2019-06-17  Justin Michaud  <justin_mich...@apple.com>
 
         Validate that table element type is funcref if using an element section

Added: trunk/JSTests/stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js (0 => 246549)

--- trunk/JSTests/stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js	                        (rev 0)
+++ trunk/JSTests/stress/nested-yield-in-arrow-function-should-be-a-syntax-error.js	2019-06-18 17:26:07 UTC (rev 246549)
@@ -0,0 +1,10 @@
+let passed = false;
+try {
+    new Function("\nfor (let a of (function*() { \n       for (var b of (function*() { \n               for (var c of (function*() { \n                       for (var d of (function*() {\n                               for (var e of (function*() { \n                                       for (var f of (function*() {\n                                               for (var g of (x = (yield * 2)) => (1)) {\n                                               }\n                                       })()) {\n                                       }\n                               })()) {\n                               }\n                       })()) {\n                       }\n               })()) {\n               }\n       })()) {\n       }\n})()) {\n}\n");
+} catch (e) {
+    if (e instanceof SyntaxError)
+        passed = true;
+} finally {
+    if (passed !== true)
+        throw new Error("Test did not throw a Syntax Error as expected");
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (246548 => 246549)

--- trunk/Source/_javascript_Core/ChangeLog	2019-06-18 17:20:10 UTC (rev 246548)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-06-18 17:26:07 UTC (rev 246549)
@@ -1,3 +1,21 @@
+2019-06-18  Keith Miller  <keith_mil...@apple.com>
+
+        MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
+        https://bugs.webkit.org/show_bug.cgi?id=198969
+        <rdar://problem/51620714>
+
+        Reviewed by Tadeu Zagallo.
+
+        Sometimes if the parser has enough nested scopes
+        MaybeParseAsGeneratorForScope can lose track of the ScopeRef it
+        should be tracking. This is because the parser sometimes relocates
+        its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should
+        hold the scope ref it's watching.
+
+        * parser/Parser.cpp:
+        (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
+        (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope):
+
 2019-06-17  Justin Michaud  <justin_mich...@apple.com>
 
         Validate that table element type is funcref if using an element section

Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (246548 => 246549)

--- trunk/Source/_javascript_Core/parser/Parser.cpp	2019-06-18 17:20:10 UTC (rev 246548)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp	2019-06-18 17:26:07 UTC (rev 246549)
@@ -173,10 +173,23 @@
     next();
 }
 
-class Scope::MaybeParseAsGeneratorForScope : public SetForScope<bool> {
+class Scope::MaybeParseAsGeneratorForScope {
 public:
     MaybeParseAsGeneratorForScope(ScopeRef& scope, bool shouldParseAsGenerator)
-        : SetForScope<bool>(scope->m_isGenerator, shouldParseAsGenerator) { }
+        : m_scope(scope)
+        , m_oldValue(scope->m_isGenerator)
+    {
+        m_scope->m_isGenerator = shouldParseAsGenerator;
+    }
+
+    ~MaybeParseAsGeneratorForScope()
+    {
+        m_scope->m_isGenerator = m_oldValue;
+    }
+
+private:
+    ScopeRef m_scope;
+    bool m_oldValue;
 };
 
 struct DepthManager : private SetForScope<int> {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes