Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (232376 => 232377)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-05-31 23:50:15 UTC (rev 232376)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-06-01 00:19:09 UTC (rev 232377)
@@ -1,3 +1,43 @@
+2018-05-31 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r232219. rdar://problem/40641075
+
+ for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+ https://bugs.webkit.org/show_bug.cgi?id=185995
+ <rdar://problem/40173142>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-185995.js: Added.
+
+ Source/_javascript_Core:
+
+ This is because there's no guarantee that any of the loop bodies will be
+ executed. Hence, there's no guarantee that the TDZ variables will have been
+ initialized after each loop body.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::preserveTDZStack):
+ (JSC::BytecodeGenerator::restoreTDZStack):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ForInNode::emitBytecode):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232219 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-25 Mark Lam <mark....@apple.com>
+
+ for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+ https://bugs.webkit.org/show_bug.cgi?id=185995
+ <rdar://problem/40173142>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-185995.js: Added.
+
2018-05-17 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r231871. rdar://problem/40346090
Added: branches/safari-605-branch/JSTests/stress/regress-185995.js (0 => 232377)
--- branches/safari-605-branch/JSTests/stress/regress-185995.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/regress-185995.js 2018-06-01 00:19:09 UTC (rev 232377)
@@ -0,0 +1,13 @@
+(function() {
+ var exception;
+ try {
+ var list = { 'a' : 5 };
+ for(const { x = x } in list)
+ x();
+ } catch (e) {
+ exception = e;
+ }
+
+ if (exception != "ReferenceError: Cannot access uninitialized variable.")
+ throw "FAILED";
+})();
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (232376 => 232377)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-31 23:50:15 UTC (rev 232376)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-06-01 00:19:09 UTC (rev 232377)
@@ -1,3 +1,52 @@
+2018-05-31 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r232219. rdar://problem/40641075
+
+ for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+ https://bugs.webkit.org/show_bug.cgi?id=185995
+ <rdar://problem/40173142>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-185995.js: Added.
+
+ Source/_javascript_Core:
+
+ This is because there's no guarantee that any of the loop bodies will be
+ executed. Hence, there's no guarantee that the TDZ variables will have been
+ initialized after each loop body.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::preserveTDZStack):
+ (JSC::BytecodeGenerator::restoreTDZStack):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ForInNode::emitBytecode):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232219 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-25 Mark Lam <mark....@apple.com>
+
+ for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+ https://bugs.webkit.org/show_bug.cgi?id=185995
+ <rdar://problem/40173142>
+
+ Reviewed by Saam Barati.
+
+ This is because there's no guarantee that any of the loop bodies will be
+ executed. Hence, there's no guarantee that the TDZ variables will have been
+ initialized after each loop body.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::preserveTDZStack):
+ (JSC::BytecodeGenerator::restoreTDZStack):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ForInNode::emitBytecode):
+
2018-05-17 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r231871. rdar://problem/40346090
Modified: branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (232376 => 232377)
--- branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2018-05-31 23:50:15 UTC (rev 232376)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2018-06-01 00:19:09 UTC (rev 232377)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich <cwzwar...@uwaterloo.ca>
* Copyright (C) 2012 Igalia, S.L.
*
@@ -3113,6 +3113,16 @@
}
}
+void BytecodeGenerator::preserveTDZStack(BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+ preservedStack.m_preservedTDZStack = m_TDZStack;
+}
+
+void BytecodeGenerator::restoreTDZStack(const BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+ m_TDZStack = preservedStack.m_preservedTDZStack;
+}
+
RegisterID* BytecodeGenerator::emitNewObject(RegisterID* dst)
{
size_t begin = instructions().size();
Modified: branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (232376 => 232377)
--- branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h 2018-05-31 23:50:15 UTC (rev 232376)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h 2018-06-01 00:19:09 UTC (rev 232377)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich <cwzwar...@uwaterloo.ca>
* Copyright (C) 2012 Igalia, S.L.
*
@@ -1092,6 +1092,13 @@
void initializeArrowFunctionContextScopeIfNeeded(SymbolTable* functionSymbolTable = nullptr, bool canReuseLexicalEnvironment = false);
bool needsDerivedConstructorInArrowFunctionLexicalEnvironment();
+ enum class TDZNecessityLevel {
+ NotNeeded,
+ Optimize,
+ DoNotOptimize
+ };
+ typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
public:
JSString* addStringConstant(const Identifier&);
JSValue addBigIntConstant(const Identifier&, uint8_t radix);
@@ -1101,6 +1108,15 @@
RegisterID* emitThrowExpressionTooDeepException();
+ class PreservedTDZStack {
+ private:
+ Vector<TDZMap> m_preservedTDZStack;
+ friend class BytecodeGenerator;
+ };
+
+ void preserveTDZStack(PreservedTDZStack&);
+ void restoreTDZStack(const PreservedTDZStack&);
+
private:
Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow> m_instructions;
@@ -1113,12 +1129,7 @@
int m_symbolTableConstantIndex;
};
Vector<LexicalScopeStackEntry> m_lexicalScopeStack;
- enum class TDZNecessityLevel {
- NotNeeded,
- Optimize,
- DoNotOptimize
- };
- typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
Vector<TDZMap> m_TDZStack;
std::optional<size_t> m_varScopeLexicalScopeStackIndex;
void pushTDZVariables(const VariableEnvironment&, TDZCheckOptimization, TDZRequirement);
Modified: branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (232376 => 232377)
--- branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-05-31 23:50:15 UTC (rev 232376)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-06-01 00:19:09 UTC (rev 232377)
@@ -3037,6 +3037,9 @@
enumerator = generator.emitGetPropertyEnumerator(generator.newTemporary(), base.get());
+ BytecodeGenerator::PreservedTDZStack preservedTDZStack;
+ generator.preserveTDZStack(preservedTDZStack);
+
// Indexed property loop.
{
Ref<LabelScope> scope = generator.newLabelScope(LabelScope::Loop);
@@ -3076,6 +3079,7 @@
generator.emitJump(end.get());
generator.emitLabel(loopEnd.get());
}
+ generator.restoreTDZStack(preservedTDZStack);
// Structure property loop.
{
@@ -3116,6 +3120,7 @@
generator.emitJump(end.get());
generator.emitLabel(loopEnd.get());
}
+ generator.restoreTDZStack(preservedTDZStack);
// Generic property loop.
{
