Bug 185995 - for-in loops should preserve and restore the TDZ stack for each of its internal loops.
Summary: for-in loops should preserve and restore the TDZ stack for each of its intern...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-05-25 14:45 PDT by Mark Lam
Modified: 2018-05-25 17:24 PDT (History)
6 users (show)

See Also:

Attachments
proposed patch. (6.59 KB, patch)
2018-05-25 16:00 PDT, Mark Lam 		saam: review+
Details | Formatted Diff | Diff
patch for landing. (6.59 KB, patch)
2018-05-25 16:16 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
patch for landing. (6.51 KB, patch)
2018-05-25 16:17 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2018-05-25 14:45:00 PDT 
This is because there's not guarantee that any of the loop bodies will have executed.  Hence, there's no guarantee that the TDZ variables will have beeb initialized after each loop body.

<rdar://problem/40173142>
Comment 1 Mark Lam 2018-05-25 16:00:43 PDT 
Created attachment 341342 [details]
proposed patch.
Comment 2 Saam Barati 2018-05-25 16:04:05 PDT 
Comment on attachment 341342 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review

r=me

> JSTests/stress/regress-185995.js:5
> +        "var list = { 'a' : 5 };" + "\n" +
> +        "for(const { x = x } in list)" + "\n" +
> +        "    x();";

Why not just write this code out in the try instead of eval?

> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079
> +    BytecodeGenerator::PreservedTDZStack preservedTDZStack;
> +    generator.preserveTDZStack(preservedTDZStack);

Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below.
Comment 3 Mark Lam 2018-05-25 16:11:13 PDT 
Comment on attachment 341342 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review

>> JSTests/stress/regress-185995.js:5
>> +        "    x();";
> 
> Why not just write this code out in the try instead of eval?

Because in my mind, I conflated ReferenceError with SyntaxError.  I'll switch to doing it in the try block.

>> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079
>> +    generator.preserveTDZStack(preservedTDZStack);
> 
> Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below.

I'll re-write it as an RAII BytecodeGenerator::TDZStackPreservationScope.
Comment 4 Mark Lam 2018-05-25 16:12:51 PDT 
Comment on attachment 341342 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=341342&action=review

>>> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3079
>>> +    generator.preserveTDZStack(preservedTDZStack);
>> 
>> Not a big deal, but I think it'd make sense if this just were an RAII. Could just be a SetForScope<....> and you can use it in each scope below.
> 
> I'll re-write it as an RAII BytecodeGenerator::TDZStackPreservationScope.

On second thought, I'll keep it as is.  This saves on the amount of mallocs and copying of the TDZ stack ... not that the stack should be all that big.
Comment 5 Mark Lam 2018-05-25 16:16:48 PDT 
Created attachment 341345 [details]
patch for landing.
Comment 6 Mark Lam 2018-05-25 16:17:55 PDT 
Created attachment 341346 [details]
patch for landing.
Comment 7 Mark Lam 2018-05-25 17:12:11 PDT 
Comment on attachment 341346 [details]
patch for landing.

Thanks for the review.  Landing this now.
Comment 8 WebKit Commit Bot 2018-05-25 17:24:02 PDT 
Comment on attachment 341346 [details]
patch for landing.

Clearing flags on attachment: 341346

Committed r232219: <https://trac.webkit.org/changeset/232219>
Comment 9 WebKit Commit Bot 2018-05-25 17:24:04 PDT 
All reviewed patches have been landed.  Closing bug.