RESOLVED FIXED 185995
for-in loops should preserve and restore the TDZ stack for each of its internal loops. 
https://bugs.webkit.org/show_bug.cgi?id=185995
Summary for-in loops should preserve and restore the TDZ stack for each of its intern...
Mark Lam
Reported 2018-05-25 14:45:00 PDT
This is because there's not guarantee that any of the loop bodies will have executed. Hence, there's no guarantee that the TDZ variables will have beeb initialized after each loop body. <rdar://problem/40173142>
Attachments
proposed patch. (6.59 KB, patch)
2018-05-25 16:00 PDT, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
patch for landing. (6.59 KB, patch)
2018-05-25 16:16 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
patch for landing. (6.51 KB, patch)
2018-05-25 16:17 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2018-05-25 16:00:43 PDT
Created attachment 341342 [details] proposed patch.
Saam Barati
Comment 2 2018-05-25 16:04:05 PDT
Comment on attachment 341342 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review r=me > JSTests/stress/regress-185995.js:5 > + "var list = { 'a' : 5 };" + "\n" + > + "for(const { x = x } in list)" + "\n" + > + " x();"; Why not just write this code out in the try instead of eval? > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079 > + BytecodeGenerator::PreservedTDZStack preservedTDZStack; > + generator.preserveTDZStack(preservedTDZStack); Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below.
Mark Lam
Comment 3 2018-05-25 16:11:13 PDT
Comment on attachment 341342 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review >> JSTests/stress/regress-185995.js:5 >> + " x();"; > > Why not just write this code out in the try instead of eval? Because in my mind, I conflated ReferenceError with SyntaxError. I'll switch to doing it in the try block. >> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079 >> + generator.preserveTDZStack(preservedTDZStack); > > Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below. I'll re-write it as an RAII BytecodeGenerator::TDZStackPreservationScope.
Mark Lam
Comment 4 2018-05-25 16:12:51 PDT
Comment on attachment 341342 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review >>> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079 >>> + generator.preserveTDZStack(preservedTDZStack); >> >> Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below. > > I'll re-write it as an RAII BytecodeGenerator::TDZStackPreservationScope. On second thought, I'll keep it as is. This saves on the amount of mallocs and copying of the TDZ stack ... not that the stack should be all that big.
Mark Lam
Comment 5 2018-05-25 16:16:48 PDT
Created attachment 341345 [details] patch for landing.
Mark Lam
Comment 6 2018-05-25 16:17:55 PDT
Created attachment 341346 [details] patch for landing.
Mark Lam
Comment 7 2018-05-25 17:12:11 PDT
Comment on attachment 341346 [details] patch for landing. Thanks for the review. Landing this now.
WebKit Commit Bot
Comment 8 2018-05-25 17:24:02 PDT
Comment on attachment 341346 [details] patch for landing. Clearing flags on attachment: 341346 Committed r232219: <https://trac.webkit.org/changeset/232219>
WebKit Commit Bot
Comment 9 2018-05-25 17:24:04 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.