RESOLVED FIXED157991
String template don't handle let initialization properly inside eval 
https://bugs.webkit.org/show_bug.cgi?id=157991
Summary String template don't handle let initialization properly inside eval
Oliver Hunt
Reported 2016-05-23 10:31:09 PDT
Insta crash: eval("let a=a``") I _think_ this code is syntactically correct, but * frame #0: 0x0000000000000000 frame #1: 0x00000001007de3fa JavaScriptCore`llint_entry + 23836 frame #2: 0x00000001007d84fb JavaScriptCore`vmEntryToJavaScript + 299 frame #3: 0x000000010064fafe JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=<unavailable>, protoCallFrame=<unavailable>) + 158 at JITCode.cpp:80 frame #4: 0x00000001005fee66 JavaScriptCore`JSC::Interpreter::execute(this=<unavailable>, eval=<unavailable>, callFrame=<unavailable>, thisValue=JSValue at 0x00007fff5fbfe2d0, scope=<unavailable>) + 1670 at Interpreter.cpp:1255 frame #5: 0x00000001005fe2d5 JavaScriptCore`JSC::eval(callFrame=<unavailable>) + 1669 at Interpreter.cpp:208 frame #6: 0x00000001007d610d JavaScriptCore`::llint_slow_path_call_eval(exec=0x00007fff5fbfeda0, pc=0x00000001029b6668) + 237 at LLIntSlowPaths.cpp:1377 frame #7: 0x00000001007deaf6 JavaScriptCore`llint_entry + 25624 frame #8: 0x00000001007d84fb JavaScriptCore`vmEntryToJavaScript + 299 frame #9: 0x000000010064fafe JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=<unavailable>, protoCallFrame=<unavailable>) + 158 at JITCode.cpp:80 frame #10: 0x0000000100603df6 JavaScriptCore`JSC::Interpreter::execute(this=<unavailable>, program=<unavailable>, callFrame=<unavailable>, thisObj=0x0000000106fabae0) + 15110 at Interpreter.cpp:960 frame #11: 0x00000001002575f7 JavaScriptCore`JSC::evaluate(exec=0x0000000106fdf940, source=0x00007fff5fbff8d0, thisValue=<unavailable>, returnedException=0x00007fff5fbff8f8) + 455 at Completion.cpp:107 frame #12: 0x000000010000448f jsc`runJSC(JSC::VM*, CommandLine) + 370 at jsc.cpp:2068 frame #13: 0x000000010000431d jsc`runJSC(vm=<unavailable>, options=CommandLine at 0x00007fff5fbffa40) + 4061 at jsc.cpp:2244 frame #14: 0x00000001000026cb jsc`jscmain(argc=<unavailable>, argv=<unavailable>) + 763 at jsc.cpp:2294 frame #15: 0x000000010000235a jsc`main(argc=1, argv=0x00007fff5fbffb48) + 154 at jsc.cpp:1947 frame #16: 0x00007fff8f46f5ad libdyld.dylib`start + 1 frame #17: 0x00007fff8f46f5ad libdyld.dylib`start + 1
Attachments
patch (3.37 KB, patch)
2016-05-23 12:15 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2016-05-23 12:15:31 PDT
Created attachment 279571 [details] patch
WebKit Commit Bot
Comment 2 2016-05-23 13:26:22 PDT
Comment on attachment 279571 [details] patch Clearing flags on attachment: 279571 Committed r201293: <http://trac.webkit.org/changeset/201293>
WebKit Commit Bot
Comment 3 2016-05-23 13:26:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.