[webkit-changes] [183912] trunk

[rniwa]

Title: [183912] trunk

Revision

183912

Author

rn...@webkit.org

Date

2015-05-06 22:15:56 -0700 (Wed, 06 May 2015)

Log Message

ToT WebKit crashes while loading ES6 compatibility table
https://bugs.webkit.org/show_bug.cgi?id=144726

Reviewed by Filip Pizlo.

Source/_javascript_Core:

The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.

Always build the identifier here as it could be a method name.

* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):

LayoutTests:

Added new test cases.

* js/class-syntax-string-and-numeric-names-expected.txt:
* js/script-tests/class-syntax-string-and-numeric-names.js:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt
• trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/parser/Parser.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (183911 => 183912)

--- trunk/LayoutTests/ChangeLog	2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/ChangeLog	2015-05-07 05:15:56 UTC (rev 183912)
@@ -1,3 +1,15 @@
+2015-05-06  Ryosuke Niwa  <rn...@webkit.org>
+
+        ToT WebKit crashes while loading ES6 compatibility table
+        https://bugs.webkit.org/show_bug.cgi?id=144726
+
+        Reviewed by Filip Pizlo.
+
+        Added new test cases.
+
+        * js/class-syntax-string-and-numeric-names-expected.txt:
+        * js/script-tests/class-syntax-string-and-numeric-names.js:
+
 2015-05-06  Brent Fulgham  <bfulg...@apple.com>
 
         Scroll-snap points do not handle margins and padding propertly

Modified: trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt (183911 => 183912)

--- trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt	2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/js/class-syntax-string-and-numeric-names-expected.txt	2015-05-07 05:15:56 UTC (rev 183912)
@@ -40,6 +40,8 @@
 PASS (new X)[6] is undefined
 PASS setterValue = 0; X = class { static set 7(x) { setterValue = x } static get 7() { } }; X[7] = 27; setterValue is 27
 PASS (new X)[7] = 28; setterValue is 27
+PASS function x() { return class { 'foo bar'() { return 29; } } }; (new (x()))['foo bar']() is 29
+PASS function x() { return class { 30() { return 30; } } }; (new (x()))[30]() is 30
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js (183911 => 183912)

--- trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js	2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/LayoutTests/js/script-tests/class-syntax-string-and-numeric-names.js	2015-05-07 05:15:56 UTC (rev 183912)
@@ -51,3 +51,6 @@
 shouldBe("(new X)[6]", "undefined");
 shouldBe("setterValue = 0; X = class { static set 7(x) { setterValue = x } static get 7() { } }; X[7] = 27; setterValue", "27");
 shouldBe("(new X)[7] = 28; setterValue", "27");
+
+shouldBe("function x() { return class { 'foo bar'() { return 29; } } }; (new (x()))['foo bar']()", "29");
+shouldBe("function x() { return class { 30() { return 30; } } }; (new (x()))[30]()", "30");

Modified: trunk/Source/_javascript_Core/ChangeLog (183911 => 183912)

--- trunk/Source/_javascript_Core/ChangeLog	2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-05-07 05:15:56 UTC (rev 183912)
@@ -1,3 +1,17 @@
+2015-05-06  Ryosuke Niwa  <rn...@webkit.org>
+
+        ToT WebKit crashes while loading ES6 compatibility table
+        https://bugs.webkit.org/show_bug.cgi?id=144726
+
+        Reviewed by Filip Pizlo.
+
+        The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.
+
+        Always build the identifier here as it could be a method name.
+
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseClass):
+
 2015-05-05  Filip Pizlo  <fpi...@apple.com>
 
         Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase

Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (183911 => 183912)

--- trunk/Source/_javascript_Core/parser/Parser.cpp	2015-05-07 04:56:11 UTC (rev 183911)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp	2015-05-07 05:15:56 UTC (rev 183912)
@@ -1529,7 +1529,7 @@
     }
     const ConstructorKind constructorKind = parentClass ? ConstructorKind::Derived : ConstructorKind::Base;
 
-    consumeOrFailWithFlags(OPENBRACE, TreeBuilder::DontBuildStrings, "Expected opening '{' at the start of a class body");
+    consumeOrFail(OPENBRACE, "Expected opening '{' at the start of a class body");
 
     TreeExpression constructor = 0;
     TreePropertyList staticMethods = 0;
@@ -1558,16 +1558,19 @@
         switch (m_token.m_type) {
         case STRING:
             ident = m_token.m_data.ident;
+            ASSERT(ident);
             next();
             break;
         case IDENT:
             ident = m_token.m_data.ident;
             isGetter = *ident == propertyNames.get;
             isSetter = *ident == propertyNames.set;
+            ASSERT(ident);
             break;
         case DOUBLE:
         case INTEGER:
             ident = &m_parserArena.identifierArena().makeNumericIdentifier(const_cast<VM*>(m_vm), m_token.m_data.doubleValue);
+            ASSERT(ident);
             next();
             break;
         default:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes