| Summary: | [jsfunfuzz] Assertion + incorrect behaviour with dynamically created local variable in a catch block | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Oliver Hunt <oliver> | ||||
| Component: | JavaScriptCore | Assignee: | Oliver Hunt <oliver> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | ||||||
| Priority: | P2 | ||||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | Mac | ||||||
| OS: | OS X 10.5 | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 13638 | ||||||
| Attachments: |
|
||||||
Created attachment 26344 [details]
Fix the creation of scopes for catch blocks containing eval
Fixeration
Comment on attachment 26344 [details]
Fix the creation of scopes for catch blocks containing eval
You have a typo in your ChangeLog. It should be
the catch block's static scope
rather than
the catch blocks static scope. You should also put the bool after the pointer member variables in the class definition.
Other than that, r=me.
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/parser/Grammar.y M JavaScriptCore/parser/Nodes.cpp M JavaScriptCore/parser/Nodes.h M LayoutTests/ChangeLog M LayoutTests/fast/js/eval-var-decl-expected.txt M LayoutTests/fast/js/resources/eval-var-decl.js Committed r39534 |
try { throw ""; } catch(e) { eval("var x=1"); } This throws, because the eval code attempts to insert a dynamic property onto the catch blocks scope object. but the catch block has a static scope node so cannot receive new properties.