158796 2016-06-15 10:26:34 -0700 Assertion failure or crash when accessing let-variable in TDZ with eval with a function in it that returns let variable 2016-06-28 19:06:56 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 andre.bargull saam benjamin commit-queue keith_miller mark.lam msaboff saam webkit-bug-importer oldest_to_newest 1202615 0 andre.bargull 2016-06-15 10:26:34 -0700 SVN: rev202088 Build with: perl Tools/Scripts/build-jsc --gtk --debug The following test case triggers this assertion error: --- ASSERTION FAILED: returnValue --- Test case: --- { let b = {a: eval("function b(){ return b; }"), b: (1, eval)("(b())")}; } --- Stack trace: --- #0 0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317 #1 0x00007ffff694c7dc in JSC::checkedReturn (returnValue=...) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:809 #2 0x00007ffff694f249 in JSC::Interpreter::execute (this=0x7ffff0def058, eval=0x7fffaf1fbe50, callFrame=0x7fffffffcb00, thisValue=..., scope=0x7fffaf1dbfc0) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:1237 #3 0x00007ffff6bd3d41 in JSC::globalFuncEval (exec=0x7fffffffcb00) at ../../Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:673 ... --- Alternative test case which crashes: --- { let {b} = {a: eval("function b(){ return b; }"), b: (1, eval)("print(b())")}; } --- Stack trace: --- #0 0x0000000000448df0 in JSC::JSCell::isString (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:160 #1 0x0000000000449be6 in JSC::JSValue::isString (this=0x7fffffffbe50) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:553 #2 0x00000000004445d8 in JSC::JSValue::toString (this=0x7fffffffbe50, exec=0x7fffffffbec0) at ../../Source/JavaScriptCore/runtime/JSString.h:765 #3 0x000000000043556f in functionPrint (exec=0x7fffffffbec0) at ../../Source/JavaScriptCore/jsc.cpp:1143 ... --- 1204957 1 webkit-bug-importer 2016-06-23 16:02:34 -0700 <rdar://problem/26984659> 1206239 2 282304 saam 2016-06-28 17:38:40 -0700 Created attachment 282304 patch 1206241 3 282304 msaboff 2016-06-28 17:40:01 -0700 Comment on attachment 282304 patch r=me 1206265 4 saam 2016-06-28 19:06:56 -0700 landed in: https://trac.webkit.org/changeset/202602 282304 2016-06-28 17:38:40 -0700 2016-06-28 17:40:01 -0700 patch b-backup.diff text/plain 3710 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjAyNTk2KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI4IEBA CisyMDE2LTA2LTI4ICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IEFzc2VydGlvbiBmYWlsdXJlIG9yIGNyYXNoIHdoZW4gYWNjZXNzaW5nIGxldC12YXJpYWJsZSBp biBURFogd2l0aCBldmFsIHdpdGggYSBmdW5jdGlvbiBpbiBpdCB0aGF0IHJldHVybnMgbGV0IHZh cmlhYmxlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0x NTg3OTYKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzI2OTg0NjU5PgorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoZXJlIHdhcyBhIGJ1ZyB3aGVyZSBz b21lIGZ1bmN0aW9ucyBpbnNpZGUgb2YgYW4gZXZhbCB3ZXJlCisgICAgICAgIG9taXR0aW5nIGEg bmVjZXNzYXJ5IFREWiBjaGVjay4gVGhpcyBvYnZpb3VzbHkgbGVhZHMgdG8gYmFkCisgICAgICAg IHRoaW5ncyBiZWNhdXNlIGEgdmFyaWFibGUgdW5kZXIgVERaIGlzIHRoZSBudWxsIHBvaW50ZXIu CisgICAgICAgIFRoZSBldmFsJ3MgYnl0ZWNvZGUgd2FzIGdlbmVyYXRlZCB3aXRoIHRoZSBjb3Jy ZWN0IFREWiBzZXQsIGJ1dCAKKyAgICAgICAgaXQgY3JlYXRlZCBhbGwgaXRzIGZ1bmN0aW9ucyBi ZWZvcmUgcHVzaGluZyB0aGF0IFREWiBzZXQgb250bworICAgICAgICB0aGUgc3RhY2suIFRoYXQn cyBhIG1pc3Rha2UuIFRob3NlIGZ1bmN0aW9ucyBuZWVkIHRvIGJlIGNyZWF0ZWQgd2l0aAorICAg ICAgICB0aGF0IFREWiBzZXQuIFRoZSBzb2x1dGlvbiBpcyBzaW1wbGUsIHRoZSBURFogc2V0IHRo YXQgdGhlIGV2YWwKKyAgICAgICAgaXMgY3JlYXRlZCB3aXRoIG5lZWRzIHRvIGJlIHB1c2hlZCBv bnRvIHRoZSBURFogc3RhY2sgYmVmb3JlCisgICAgICAgIHRoZSBldmFsIGNyZWF0ZXMgYW55IGZ1 bmN0aW9ucy4gCisKKyAgICAgICAgKiBieXRlY29tcGlsZXIvQnl0ZWNvZGVHZW5lcmF0b3IuY3Bw OgorICAgICAgICAoSlNDOjpCeXRlY29kZUdlbmVyYXRvcjo6Qnl0ZWNvZGVHZW5lcmF0b3IpOgor ICAgICAgICAqIHRlc3RzL3N0cmVzcy92YXJpYWJsZS11bmRlci10ZHotZXZhbC10cmlja3kuanM6 IEFkZGVkLgorICAgICAgICAoYXNzZXJ0KToKKyAgICAgICAgKHRocm93Lm5ldy5FcnJvcik6Cisg ICAgICAgIChhc3NlcnQudHJ5LnVuZGVyVERaKToKKwogMjAxNi0wNi0yOCAgU2FhbSBCYXJhdGkg IDxzYmFyYXRpQGFwcGxlLmNvbT4KIAogICAgICAgICBzb21lIFdhdGNocG9pbnRzJyA6OmZpcmVJ bnRlcm5hbCBtZXRob2Qgd2lsbCBjYWxsIG9wZXJhdGlvbnMgdGhhdCBtaWdodCBHQyB3aGVyZSB0 aGUgR0Mgd2lsbCBjYXVzZSB0aGUgd2F0Y2hwb2ludCBpdHNlbGYgdG8gZGVzdHJ1Y3QKSW5kZXg6 IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29tcGlsZXIvQnl0ZWNvZGVHZW5lcmF0b3IuY3Bw Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29tcGlsZXIvQnl0ZWNv ZGVHZW5lcmF0b3IuY3BwCShyZXZpc2lvbiAyMDI1OTUpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENv cmUvYnl0ZWNvbXBpbGVyL0J5dGVjb2RlR2VuZXJhdG9yLmNwcAkod29ya2luZyBjb3B5KQpAQCAt NjE5LDYgKzYxOSw4IEBAIEJ5dGVjb2RlR2VuZXJhdG9yOjpCeXRlY29kZUdlbmVyYXRvcihWTSYK IAogICAgIG1fY29kZUJsb2NrLT5zZXROdW1QYXJhbWV0ZXJzKDEpOwogCisgICAgcHVzaFREWlZh cmlhYmxlcygqcGFyZW50U2NvcGVURFpWYXJpYWJsZXMsIFREWkNoZWNrT3B0aW1pemF0aW9uOjpE b05vdE9wdGltaXplKTsKKwogICAgIGVtaXRFbnRlcigpOwogCiAgICAgYWxsb2NhdGVBbmRFbWl0 U2NvcGUoKTsKQEAgLTY0MSw4ICs2NDMsNiBAQCBCeXRlY29kZUdlbmVyYXRvcjo6Qnl0ZWNvZGVH ZW5lcmF0b3IoVk0mCiAgICAgaWYgKGV2YWxOb2RlLT51c2VzU3VwZXJDYWxsKCkgfHwgZXZhbE5v ZGUtPnVzZXNOZXdUYXJnZXQoKSkKICAgICAgICAgbV9uZXdUYXJnZXRSZWdpc3RlciA9IGFkZFZh cigpOwogCi0gICAgcHVzaFREWlZhcmlhYmxlcygqcGFyZW50U2NvcGVURFpWYXJpYWJsZXMsIFRE WkNoZWNrT3B0aW1pemF0aW9uOjpEb05vdE9wdGltaXplKTsKLSAgICAKICAgICBpZiAoY29kZUJs b2NrLT5pc0Fycm93RnVuY3Rpb25Db250ZXh0KCkgJiYgKGV2YWxOb2RlLT51c2VzVGhpcygpIHx8 IGV2YWxOb2RlLT51c2VzU3VwZXJQcm9wZXJ0eSgpKSkKICAgICAgICAgZW1pdExvYWRUaGlzRnJv bUFycm93RnVuY3Rpb25MZXhpY2FsRW52aXJvbm1lbnQoKTsKIApJbmRleDogU291cmNlL0phdmFT Y3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy92YXJpYWJsZS11bmRlci10ZHotZXZhbC10cmlja3kuanMK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy92YXJpYWJs ZS11bmRlci10ZHotZXZhbC10cmlja3kuanMJKHJldmlzaW9uIDApCisrKyBTb3VyY2UvSmF2YVNj cmlwdENvcmUvdGVzdHMvc3RyZXNzL3ZhcmlhYmxlLXVuZGVyLXRkei1ldmFsLXRyaWNreS5qcwko d29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDM5IEBACitmdW5jdGlvbiBhc3NlcnQoYikgeworICAg IGlmICghYikKKyAgICAgICAgdGhyb3cgbmV3IEVycm9yKCJCYWQhIikKK30KKworCit7CisgICAg bGV0IHRocmV3ID0gZmFsc2U7CisgICAgdHJ5IHsKKyAgICAgICAgbGV0IHVuZGVyVERaID0gewor ICAgICAgICAgICAgcHJvcDogZXZhbCgiZnVuY3Rpb24gcGxlYXNlVERaTWUoKXsgcmV0dXJuIHVu ZGVyVERaOyB9OyBwbGVhc2VURFpNZSgpOyIpCisgICAgICAgIH07CisgICAgfSBjYXRjaChlKSB7 CisgICAgICAgIHRocmV3ID0gZSBpbnN0YW5jZW9mIFJlZmVyZW5jZUVycm9yOworICAgIH0KKyAg ICBhc3NlcnQodGhyZXcpOworfQorCit7CisgICAgbGV0IHRocmV3ID0gZmFsc2U7CisgICAgdHJ5 IHsKKyAgICAgICAgY29uc3QgdW5kZXJURFogPSB7CisgICAgICAgICAgICBwcm9wOiBldmFsKCJm dW5jdGlvbiBwbGVhc2VURFpNZSgpeyByZXR1cm4gdW5kZXJURFo7IH07IHBsZWFzZVREWk1lKCk7 IikKKyAgICAgICAgfTsKKyAgICB9IGNhdGNoKGUpIHsKKyAgICAgICAgdGhyZXcgPSBlIGluc3Rh bmNlb2YgUmVmZXJlbmNlRXJyb3I7CisgICAgfQorICAgIGFzc2VydCh0aHJldyk7Cit9CisKK3sK KyAgICBsZXQgdGhyZXcgPSBmYWxzZTsKKyAgICB0cnkgeworICAgICAgICBjbGFzcyB1bmRlclRE WiBleHRlbmRzIGV2YWwoImZ1bmN0aW9uIHBsZWFzZVREWk1lKCkgeyByZXR1cm4gdW5kZXJURFo7 IH07IHBsZWFzZVREWk1lKCkiKSB7IH07CisgICAgfSBjYXRjaChlKSB7CisgICAgICAgIHRocmV3 ID0gZSBpbnN0YW5jZW9mIFJlZmVyZW5jZUVycm9yOworICAgIH0KKyAgICBhc3NlcnQodGhyZXcp OworfQo=