Title: [204182] trunk
- Revision
- 204182
- Author
- [email protected]
- Date
- 2016-08-05 12:16:28 -0700 (Fri, 05 Aug 2016)
Log Message
Assertion failure when accessing TDZ variable in catch through eval
https://bugs.webkit.org/show_bug.cgi?id=160554
Reviewed by Mark Lam and Keith Miller.
JSTests:
* stress/catch-variables-under-tdz.js: Added.
(test):
Source/_javascript_Core:
When we were calculating the variables under TDZ from a JSScope,
the algorithm was not taking into account that a catch scope
has variables under TDZ.
* runtime/JSScope.cpp:
(JSC::JSScope::collectVariablesUnderTDZ):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204181 => 204182)
--- trunk/JSTests/ChangeLog 2016-08-05 18:57:13 UTC (rev 204181)
+++ trunk/JSTests/ChangeLog 2016-08-05 19:16:28 UTC (rev 204182)
@@ -1,3 +1,13 @@
+2016-08-05 Saam Barati <[email protected]>
+
+ Assertion failure when accessing TDZ variable in catch through eval
+ https://bugs.webkit.org/show_bug.cgi?id=160554
+
+ Reviewed by Mark Lam and Keith Miller.
+
+ * stress/catch-variables-under-tdz.js: Added.
+ (test):
+
2016-08-04 Yusuke Suzuki <[email protected]>
[ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
Added: trunk/JSTests/stress/catch-variables-under-tdz.js (0 => 204182)
--- trunk/JSTests/stress/catch-variables-under-tdz.js (rev 0)
+++ trunk/JSTests/stress/catch-variables-under-tdz.js 2016-08-05 19:16:28 UTC (rev 204182)
@@ -0,0 +1,21 @@
+function test(s) {
+ for (let i = 0; i < 100; i++) {
+ let threw = false;
+ try {
+ let evalString = `try { throw new Error } catch(${s}) { }`;
+ eval(evalString);
+ } catch(e) {
+ threw = e instanceof ReferenceError;
+ }
+ if (!threw)
+ throw new Error("Bad test!");
+ }
+}
+
+test("{a = a}");
+test("{a = eval('a')}");
+test("{a = eval('a + a')}");
+test("{a = eval('b'), b}");
+test("{a = eval('b + b'), b}");
+test("{a = eval('b + b'), b = 20}");
+test("{a = b+b, b = 20}");
Modified: trunk/Source/_javascript_Core/ChangeLog (204181 => 204182)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-05 18:57:13 UTC (rev 204181)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-05 19:16:28 UTC (rev 204182)
@@ -1,3 +1,17 @@
+2016-08-05 Saam Barati <[email protected]>
+
+ Assertion failure when accessing TDZ variable in catch through eval
+ https://bugs.webkit.org/show_bug.cgi?id=160554
+
+ Reviewed by Mark Lam and Keith Miller.
+
+ When we were calculating the variables under TDZ from a JSScope,
+ the algorithm was not taking into account that a catch scope
+ has variables under TDZ.
+
+ * runtime/JSScope.cpp:
+ (JSC::JSScope::collectVariablesUnderTDZ):
+
2016-08-05 Keith Miller <[email protected]>
Delete out of date WASM code.
Modified: trunk/Source/_javascript_Core/runtime/JSScope.cpp (204181 => 204182)
--- trunk/Source/_javascript_Core/runtime/JSScope.cpp 2016-08-05 18:57:13 UTC (rev 204181)
+++ trunk/Source/_javascript_Core/runtime/JSScope.cpp 2016-08-05 19:16:28 UTC (rev 204182)
@@ -264,7 +264,7 @@
void JSScope::collectVariablesUnderTDZ(JSScope* scope, VariableEnvironment& result)
{
for (; scope; scope = scope->next()) {
- if (!scope->isLexicalScope() && !scope->isGlobalLexicalEnvironment())
+ if (!scope->isLexicalScope() && !scope->isGlobalLexicalEnvironment() && !scope->isCatchScope())
continue;
if (scope->isModuleScope()) {
@@ -274,7 +274,7 @@
}
SymbolTable* symbolTable = jsCast<JSSymbolTableObject*>(scope)->symbolTable();
- ASSERT(symbolTable->scopeType() == SymbolTable::ScopeType::LexicalScope || symbolTable->scopeType() == SymbolTable::ScopeType::GlobalLexicalScope);
+ ASSERT(symbolTable->scopeType() == SymbolTable::ScopeType::LexicalScope || symbolTable->scopeType() == SymbolTable::ScopeType::GlobalLexicalScope || symbolTable->scopeType() == SymbolTable::ScopeType::CatchScope);
ConcurrentJITLocker locker(symbolTable->m_lock);
for (auto end = symbolTable->end(locker), iter = symbolTable->begin(locker); iter != end; ++iter)
result.add(iter->key);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
