Skip to site navigation (Press enter)

[webkit-changes] [202654] trunk/Source/JavaScriptCore

sbarati Wed, 29 Jun 2016 15:34:30 -0700

Title: [202654] trunk/Source/_javascript_Core

Revision: 202654
Author: sbar...@apple.com
Date: 2016-06-29 15:34:03 -0700 (Wed, 29 Jun 2016)

Log Message

We don't emit TDZ checks for call_eval
https://bugs.webkit.org/show_bug.cgi?id=159277
<rdar://problem/27018801>


Reviewed by Benjamin Poulain.

This is a problem if you're trying to call a TDZ variable
that is named 'eval'.

* bytecompiler/NodesCodegen.cpp:
(JSC::EvalFunctionCallNode::emitBytecode):
* tests/stress/variable-named-eval-under-tdz.js: Added.
(shouldThrowTDZ):
(test):
(test.foo):
(throw.new.Error):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp

Added Paths

trunk/Source/_javascript_Core/tests/stress/variable-named-eval-under-tdz.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (202653 => 202654)


--- trunk/Source/_javascript_Core/ChangeLog	2016-06-29 22:18:38 UTC (rev 202653)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-29 22:34:03 UTC (rev 202654)
@@ -1,3 +1,22 @@
+2016-06-29  Saam barati  <sbar...@apple.com>
+
+        We don't emit TDZ checks for call_eval
+        https://bugs.webkit.org/show_bug.cgi?id=159277
+        <rdar://problem/27018801>
+
+        Reviewed by Benjamin Poulain.
+
+        This is a problem if you're trying to call a TDZ variable
+        that is named 'eval'.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::EvalFunctionCallNode::emitBytecode):
+        * tests/stress/variable-named-eval-under-tdz.js: Added.
+        (shouldThrowTDZ):
+        (test):
+        (test.foo):
+        (throw.new.Error):
+
 2016-06-29  Mark Lam  <mark....@apple.com>
 
         Add support for collecting cumulative LLINT stats via a JSC_llintStatsFile option.

Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (202653 => 202654)


--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2016-06-29 22:18:38 UTC (rev 202653)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2016-06-29 22:34:03 UTC (rev 202654)
@@ -756,6 +756,7 @@
 
     Variable var = generator.variable(generator.propertyNames().eval);
     if (RegisterID* local = var.local()) {
+        generator.emitTDZCheckIfNecessary(var, local, nullptr);
         RefPtr<RegisterID> func = generator.emitMove(generator.tempDestination(dst), local);
         CallArguments callArguments(generator, m_args);
         generator.emitLoad(callArguments.thisRegister(), jsUndefined());
@@ -770,6 +771,7 @@
         callArguments.thisRegister(),
         generator.emitResolveScope(callArguments.thisRegister(), var));
     generator.emitGetFromScope(func.get(), callArguments.thisRegister(), var, ThrowIfNotFound);
+    generator.emitTDZCheckIfNecessary(var, func.get(), nullptr);
     return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), callArguments, divot(), divotStart(), divotEnd());
 }

Added: trunk/Source/_javascript_Core/tests/stress/variable-named-eval-under-tdz.js (0 => 202654)


--- trunk/Source/_javascript_Core/tests/stress/variable-named-eval-under-tdz.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/variable-named-eval-under-tdz.js	2016-06-29 22:34:03 UTC (rev 202654)
@@ -0,0 +1,87 @@
+function shouldThrowTDZ(func) {
+    var hasThrown = false;
+    try {
+        func();
+    } catch(e) {
+        hasThrown = e instanceof ReferenceError;
+    }
+    if (!hasThrown)
+        throw new Error("Did not throw TDZ error");
+}
+
+function test(f, n = 1000) {
+    for (let i = 0; i < n; i++)
+        f();
+}
+
+test(function() {
+    function foo() {
+        eval("20");
+        let eval;
+    }
+    shouldThrowTDZ(foo);
+});
+
+test(function() {
+    function foo() {
+        eval("20");
+        let {eval} = {eval:450};
+    }
+    shouldThrowTDZ(foo);
+});
+
+test(function() {
+    function foo() {
+        eval("20");
+        const eval = 45;
+    }
+    shouldThrowTDZ(foo);
+});
+
+test(function() {
+    function foo() {
+        eval("20");
+    }
+    shouldThrowTDZ(foo);
+    let eval;
+});
+
+test(function() {
+    function foo() {
+        eval("20");
+    }
+    shouldThrowTDZ(foo);
+    let {eval} = {eval:450};
+});
+
+test(function() {
+    function foo() {
+        eval("20");
+    }
+    shouldThrowTDZ(foo);
+    const eval = 45;
+});
+
+{
+    let threw = false;
+    try {
+        eval(20);
+        let eval;
+    } catch(e) {
+        threw = e instanceof ReferenceError;
+    }
+    if (!threw)
+        throw new Error("Bad")
+}
+
+{
+    let threw = false;
+    try {
+        eval(20);
+        const eval = 25;
+    } catch(e) {
+        threw = e instanceof ReferenceError;
+    }
+    if (!threw)
+        throw new Error("Bad")
+}

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes