Skip to site navigation (Press enter)

[webkit-changes] [247088] trunk

msaboff Tue, 02 Jul 2019 23:02:54 -0700

Title: [247088] trunk

Revision: 247088
Author: [email protected]
Date: 2019-07-02 23:01:12 -0700 (Tue, 02 Jul 2019)

Log Message

JSTests:
Exception from For..of loop assignment eliminates TDZ checks in subsequent code
https://bugs.webkit.org/show_bug.cgi?id=199395


Reviewed by Filip Pizlo.

New regession test.

* stress/for-of-tdz-with-try-catch.js: Added.
(test):
(i.catch):

Source/_javascript_Core:
Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
https://bugs.webkit.org/show_bug.cgi?id=199395

Reviewed by Filip Pizlo.

For destructuring assignmests, the assignment might throw a reference error if
the RHS cannot be coerced.  The current bytecode generated for such assignments
optimizes out the TDZ check after the coercible check.

By saving the current state of the TDZ stack before processing the setting of 
target destructured values and then restoring afterwards, we won't optimize out
later TDZ check(s).

A similar change of saving / restoring the TDZ stack where exceptions might
happen was done for for..in loops in change set r232219.

* bytecompiler/NodesCodegen.cpp:
(JSC::ObjectPatternNode::bindValue const):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp

Added Paths

trunk/JSTests/stress/for-of-tdz-with-try-catch.js

Diff

Modified: trunk/JSTests/ChangeLog (247087 => 247088)


--- trunk/JSTests/ChangeLog	2019-07-03 05:43:11 UTC (rev 247087)
+++ trunk/JSTests/ChangeLog	2019-07-03 06:01:12 UTC (rev 247088)
@@ -1,3 +1,16 @@
+2019-07-02  Michael Saboff  <[email protected]>
+
+        Exception from For..of loop assignment eliminates TDZ checks in subsequent code
+        https://bugs.webkit.org/show_bug.cgi?id=199395
+
+        Reviewed by Filip Pizlo.
+
+        New regession test.
+
+        * stress/for-of-tdz-with-try-catch.js: Added.
+        (test):
+        (i.catch):
+
 2019-07-02  Keith Miller  <[email protected]>
 
         Frozen Arrays length assignment should throw in strict mode

Added: trunk/JSTests/stress/for-of-tdz-with-try-catch.js (0 => 247088)


--- trunk/JSTests/stress/for-of-tdz-with-try-catch.js	                        (rev 0)
+++ trunk/JSTests/stress/for-of-tdz-with-try-catch.js	2019-07-03 06:01:12 UTC (rev 247088)
@@ -0,0 +1,22 @@
+// This regression test checks that a let in the TDZ state is handled properly
+// with a for-of in a try as well as the ensuing catch block.
+
+function test() {
+    try {
+        for ({o} of [, 0])
+            ;
+    } catch (e) {
+        o[0] = 1.5;
+    }
+    let o = {
+    };
+}
+
+for (i = 0; i < 1000; i++) {
+    try {
+        test();
+    } catch(e) {
+        if (e != "ReferenceError: Cannot access uninitialized variable.")
+            throw "Expected \"ReferenceError: Cannot access uninitialized variable.\", but got \"" + e +"\"";
+    }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (247087 => 247088)


--- trunk/Source/_javascript_Core/ChangeLog	2019-07-03 05:43:11 UTC (rev 247087)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-07-03 06:01:12 UTC (rev 247088)
@@ -1,3 +1,24 @@
+2019-07-02  Michael Saboff  <[email protected]>
+
+        Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
+        https://bugs.webkit.org/show_bug.cgi?id=199395
+
+        Reviewed by Filip Pizlo.
+
+        For destructuring assignmests, the assignment might throw a reference error if
+        the RHS cannot be coerced.  The current bytecode generated for such assignments
+        optimizes out the TDZ check after the coercible check.
+
+        By saving the current state of the TDZ stack before processing the setting of 
+        target destructured values and then restoring afterwards, we won't optimize out
+        later TDZ check(s).
+
+        A similar change of saving / restoring the TDZ stack where exceptions might
+        happen was done for for..in loops in change set r232219.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ObjectPatternNode::bindValue const):
+
 2019-07-02  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r247041.

Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (247087 => 247088)


--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2019-07-03 05:43:11 UTC (rev 247087)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2019-07-03 06:01:12 UTC (rev 247088)
@@ -4304,6 +4304,9 @@
         addMethod = generator.emitGetById(generator.newTemporary(), excludedList.get(), generator.propertyNames().builtinNames().addPrivateName());
     }
 
+    BytecodeGenerator::PreservedTDZStack preservedTDZStack;
+    generator.preserveTDZStack(preservedTDZStack);
+
     for (size_t i = 0; i < m_targetPatterns.size(); i++) {
         const auto& target = m_targetPatterns[i];
         if (target.bindingType == BindingType::Element) {
@@ -4366,6 +4369,8 @@
             target.pattern->bindValue(generator, result.get());
         }
     }
+
+    generator.restoreTDZStack(preservedTDZStack);
 }
 
 void ObjectPatternNode::collectBoundIdentifiers(Vector<Identifier>& identifiers) const

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes