Title: [183912] trunk
- Revision
- 183912
- Author
- rn...@webkit.org
- Date
- 2015-05-06 22:15:56 -0700 (Wed, 06 May 2015)
Log Message
ToT WebKit crashes while loading ES6 compatibility table
https://bugs.webkit.org/show_bug.cgi?id=144726
Reviewed by Filip Pizlo.
Source/_javascript_Core:
The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.
Always build the identifier here as it could be a method name.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
LayoutTests:
Added new test cases.
* js/class-syntax-string-and-numeric-names-expected.txt:
* js/script-tests/class-syntax-string-and-numeric-names.js:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (183911 => 183912)
--- trunk/LayoutTests/ChangeLog 2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/ChangeLog 2015-05-07 05:15:56 UTC (rev 183912)
@@ -1,3 +1,15 @@
+2015-05-06 Ryosuke Niwa <rn...@webkit.org>
+
+ ToT WebKit crashes while loading ES6 compatibility table
+ https://bugs.webkit.org/show_bug.cgi?id=144726
+
+ Reviewed by Filip Pizlo.
+
+ Added new test cases.
+
+ * js/class-syntax-string-and-numeric-names-expected.txt:
+ * js/script-tests/class-syntax-string-and-numeric-names.js:
+
2015-05-06 Brent Fulgham <bfulg...@apple.com>
Scroll-snap points do not handle margins and padding propertly
Modified: trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt (183911 => 183912)
--- trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt 2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt 2015-05-07 05:15:56 UTC (rev 183912)
@@ -40,6 +40,8 @@
PASS (new X)[6] is undefined
PASS setterValue = 0; X = class { static set 7(x) { setterValue = x } static get 7() { } }; X[7] = 27; setterValue is 27
PASS (new X)[7] = 28; setterValue is 27
+PASS function x() { return class { 'foo bar'() { return 29; } } }; (new (x()))['foo bar']() is 29
+PASS function x() { return class { 30() { return 30; } } }; (new (x()))[30]() is 30
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js (183911 => 183912)
--- trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js 2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js 2015-05-07 05:15:56 UTC (rev 183912)
@@ -51,3 +51,6 @@
shouldBe("(new X)[6]", "undefined");
shouldBe("setterValue = 0; X = class { static set 7(x) { setterValue = x } static get 7() { } }; X[7] = 27; setterValue", "27");
shouldBe("(new X)[7] = 28; setterValue", "27");
+
+shouldBe("function x() { return class { 'foo bar'() { return 29; } } }; (new (x()))['foo bar']()", "29");
+shouldBe("function x() { return class { 30() { return 30; } } }; (new (x()))[30]()", "30");
Modified: trunk/Source/_javascript_Core/ChangeLog (183911 => 183912)
--- trunk/Source/_javascript_Core/ChangeLog 2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-05-07 05:15:56 UTC (rev 183912)
@@ -1,3 +1,17 @@
+2015-05-06 Ryosuke Niwa <rn...@webkit.org>
+
+ ToT WebKit crashes while loading ES6 compatibility table
+ https://bugs.webkit.org/show_bug.cgi?id=144726
+
+ Reviewed by Filip Pizlo.
+
+ The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.
+
+ Always build the identifier here as it could be a method name.
+
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseClass):
+
2015-05-05 Filip Pizlo <fpi...@apple.com>
Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (183911 => 183912)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2015-05-07 05:15:56 UTC (rev 183912)
@@ -1529,7 +1529,7 @@
}
const ConstructorKind constructorKind = parentClass ? ConstructorKind::Derived : ConstructorKind::Base;
- consumeOrFailWithFlags(OPENBRACE, TreeBuilder::DontBuildStrings, "Expected opening '{' at the start of a class body");
+ consumeOrFail(OPENBRACE, "Expected opening '{' at the start of a class body");
TreeExpression constructor = 0;
TreePropertyList staticMethods = 0;
@@ -1558,16 +1558,19 @@
switch (m_token.m_type) {
case STRING:
ident = m_token.m_data.ident;
+ ASSERT(ident);
next();
break;
case IDENT:
ident = m_token.m_data.ident;
isGetter = *ident == propertyNames.get;
isSetter = *ident == propertyNames.set;
+ ASSERT(ident);
break;
case DOUBLE:
case INTEGER:
ident = &m_parserArena.identifierArena().makeNumericIdentifier(const_cast<VM*>(m_vm), m_token.m_data.doubleValue);
+ ASSERT(ident);
next();
break;
default:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes