RESOLVED FIXED 188874
Function object should convert params to string before throw a parsing error 
https://bugs.webkit.org/show_bug.cgi?id=188874
Summary Function object should convert params to string before throw a parsing error
Sotero Jr
Reported 2018-08-22 17:49:37 PDT
Hi everyone, I found out an inconsistency in JSC when we declare a Function Object with a special characters as params. Version: 235121 O.S: MacOS High Sierra Version 10.13.6 step to reproduce: assertThrowsValue(() => Function("@", { toString() { throw 42; } }), 42); atual result: SyntaxError: Invalid character: '@' expected result: pass without failures V8, Chakra and SpiderMonkey works as expected cinfuzz
Attachments
Patch (3.46 KB, patch)
2018-08-24 23:32 PDT, Yusuke Suzuki 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2018-08-24 23:32:42 PDT
Created attachment 348075 [details] Patch
Darin Adler
Comment 2 2018-08-25 17:23:50 PDT
Comment on attachment 348075 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=348075&action=review > Source/JavaScriptCore/ChangeLog:9 > + ToString operation onto the `body` of the Function constructor should be performed > + before checking syntax correctness of the parameters. I have no doubt that this is better, but I wonder where these semantics are defined and tested unambiguously. There must be lots of other cases where the order of evaluation side effect is visible, and the new test covers just this one.
Saam Barati
Comment 3 2018-08-28 23:14:41 PDT
(In reply to Darin Adler from comment #2) > Comment on attachment 348075 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=348075&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + ToString operation onto the `body` of the Function constructor should be performed > > + before checking syntax correctness of the parameters. > > I have no doubt that this is better, but I wonder where these semantics are > defined and tested unambiguously. There must be lots of other cases where > the order of evaluation side effect is visible, and the new test covers just > this one. It's defined here: https://tc39.github.io/ecma262/#sec-createdynamicfunction I agree that it would be nice to add some more tests that stress the order of evaluation, including the order of toString on the parameters.
Yusuke Suzuki
Comment 4 2018-09-01 01:02:58 PDT
Comment on attachment 348075 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=348075&action=review Thanks! >>> Source/JavaScriptCore/ChangeLog:9 >>> + before checking syntax correctness of the parameters. >> >> I have no doubt that this is better, but I wonder where these semantics are defined and tested unambiguously. There must be lots of other cases where the order of evaluation side effect is visible, and the new test covers just this one. > > It's defined here: > https://tc39.github.io/ecma262/#sec-createdynamicfunction > > I agree that it would be nice to add some more tests that stress the order of evaluation, including the order of toString on the parameters. I've added the test checking the order of toString onto the arguments of Function constructor.
Yusuke Suzuki
Comment 5 2018-09-01 01:03:48 PDT
Committed r235582: <https://trac.webkit.org/changeset/235582>
Radar WebKit Bug Importer
Comment 6 2018-09-01 01:04:17 PDT
<rdar://problem/43989360>
Note You need to log in before you can comment on or make changes to this bug.