When we capture an argument by name and we use "arguments", we put all of the arguments into the scope. But destructured arguments are put into the scope anonymously i.e. the SymbolTable knows that the scope offset is in use via SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in SymbolTable::m_map. The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will have a size which is based on the largest ScopeOffset in the m_map. If we have a scenario where the anonymous argument is at a higher ScopeOffset than all the named arguments, then the m_localsToEntry will not have an entry for it i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of the anonymous argument. Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is within the bounds of the m_localToEntry vector before indexing into it.
<rdar://problem/20975495>
Created attachment 256516 [details] the patch: testing is in progress.
Comment on attachment 256516 [details] the patch: testing is in progress. View in context: https://bugs.webkit.org/attachment.cgi?id=256516&action=review > Source/JavaScriptCore/runtime/SymbolTable.cpp:133 > + auto toEntryVector = localToEntry(locker); This should be auto&
Created attachment 256527 [details] patch 2: fixed bug found by Fil.
All tests have passed with no new failures. EWS bot test failures appear to be due to pre-existing conditions. Patch landed in r186643: <http://trac.webkit.org/r186643>.