After code analysis I realized that when destructuring is being parsed with rest element, i.e, we find a "...", then we call parseBindingOrAssignmentElement (https://github.com/caiolima/webkit/blob/master/Source/JavaScriptCore/parser/Parser.cpp#L985) and then check if innerPattern is null. Looking into parseBindingOrAssignmentElement (https://github.com/caiolima/webkit/blob/master/Source/JavaScriptCore/parser/Parser.cpp#L903) we have 2 cases: 1) kind == DestructuringKind::DestructureToExpressions In that case, we goes to parseAssignmentElement with can return a null inner pattern. 2) kind != DestructuringKind::DestructureToExpressions In that case, the parser falls to parseDestructuringPattern and it only return 0 if kind == DestructuringKind::DestructureToExpressions with will never be the case in that. It means that this check in https://github.com/caiolima/webkit/blob/master/Source/JavaScriptCore/parser/Parser.cpp#L986 has redundant kind check, since innerPattern only can be true if and only if kind == DestructuringKind::DestructureToExpressions. I'm going to send a Patch ro remove that, because the code right now looks buggy with kind check.

Created attachment 310139 [details] Patch

Comment on attachment 310139 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=310139&action=review > Source/JavaScriptCore/ChangeLog:17 > + This patch is removing parseDestructuringPattern "kind" check when > + parsing rest destructuring (i.e when it proccess "..." token) > + and parseBindingOrAssignmentElement returns 0. This checks is > + redundant, because parseBindingOrAssignmentElement only can return > + null when "kind" is DestructuringKind::DestructureToExpressions. We > + can verify that looking at parseBindingOrAssignmentElement that falls > + to parseAssignmentElement when "kind == DestructuringKind::DestructureToExpressions" > + and to parseDestructuringPattern otherwise. In > + parseDestructuringPattern we can check that it onlys return 0 if > + kind == DestructuringKind::DestructureToExpressions. I'm not sure that this is true. 1. If kind != DestructuringKind::DestructureToExpressions, parseBindingOrAssignmentElement() returns the result of parseDestructuringPattern(). 2. In parseDestructuringPattern(), a. the OPENBRACKET case has a consumeOrFail that can return 0. b. the OPENBRACE case has failIfTrue, failIfTrueIfStrict, semanticFailIfTrue, etc. that can return 0. These are just a few examples. How did you prove that all of these (and other similar failout macros) are not also returning if kind != DestructuringKind::DestructureToExpressions

> I'm not sure that this is true. > 1. If kind != DestructuringKind::DestructureToExpressions, > parseBindingOrAssignmentElement() returns the result of > parseDestructuringPattern(). > 2. In parseDestructuringPattern(), > a. the OPENBRACKET case has a consumeOrFail that can return 0. > b. the OPENBRACE case has failIfTrue, failIfTrueIfStrict, > semanticFailIfTrue, etc. that can return 0. > > These are just a few examples. How did you prove that all of these (and > other similar failout macros) are not also returning if kind != > DestructuringKind::DestructureToExpressions Oops, you are right about 2. I'm not considering the failout macros, my bad here. I was just considering the plain returns 0 in parseDestructuringPattern. But when they fail, it's going to cascade the syntax error to its client, right? So the check I've removed is still valid in that case, or Am I missing something? The problem I'm trying to solve is to return 0 if interPattern is 0, regardless the destructuring kind. Making it strictly to DestructuringToExpressions doesn't see right here.

Comment on attachment 310139 [details] Patch r- since we're in agreement that this patch is incorrect.

Also resolving as invalid since the premise that the bug is based on is incorrect.