Bug 199395

Summary: Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, mark.lam, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Updated ChangeLog fpizlo: review+

Description Michael Saboff 2019-07-01 21:20:21 PDT 
If the assignment in a for..of loop header throws an exception before the actual assignment, the TDZ check for the variable doesn't happen and subsequent access to the variable will fail.
Comment 1 Michael Saboff 2019-07-01 21:20:38 PDT 
<rdar://problem/52452341>
Comment 2 Michael Saboff 2019-07-01 21:31:08 PDT 
Created attachment 373303 [details]
Patch
Comment 3 Saam Barati 2019-07-01 21:52:17 PDT 
Comment on attachment 373303 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=373303&action=review

> Source/JavaScriptCore/ChangeLog:10
> +        By saving the current state of the TDZ stack before processing the setting of 
> +        the target values and then restoring afterwards, we won't optimize out
> +        future TDZ checks.

Where were we missing the TDZ check? Does this make it so we emit TDZ checks for "use" in something like "for (let o of arr) { use(o); }"
Comment 4 Michael Saboff 2019-07-02 07:48:08 PDT 
(In reply to Saam Barati from comment #3)
> Comment on attachment 373303 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=373303&action=review
> 
> > Source/JavaScriptCore/ChangeLog:10
> > +        By saving the current state of the TDZ stack before processing the setting of 
> > +        the target values and then restoring afterwards, we won't optimize out
> > +        future TDZ checks.
> 
> Where were we missing the TDZ check? Does this make it so we emit TDZ checks
> for "use" in something like "for (let o of arr) { use(o); }"

We were missing TDZ checks in the case where the LHS of the for..of was a destructuring.  We will emit TDZ checks in two other cases where the LHS is a coercible assignment, for..in and a straight destructuring assignment.

I'll add that this is only for destructuring assignments to the change log.

This change doesn't emit any different code for your example.
Comment 5 Michael Saboff 2019-07-02 07:59:10 PDT 
Created attachment 373322 [details]
Updated ChangeLog

I also updated the bug title to include that this is for destructured assignments.
Comment 6 Michael Saboff 2019-07-02 23:01:14 PDT 
Committed r247088: <https://trac.webkit.org/changeset/247088>