Bug 188874 - Function object should convert params to string before throw a parsing error
Summary: Function object should convert params to string before throw a parsing error
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari 11
Hardware: Unspecified macOS 10.13
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-08-22 17:49 PDT by Sotero Jr
Modified: 2018-09-01 01:04 PDT (History)
9 users (show)

See Also:

Attachments
Patch (3.46 KB, patch)
2018-08-24 23:32 PDT, Yusuke Suzuki 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sotero Jr 2018-08-22 17:49:37 PDT 
Hi everyone,

I found out an inconsistency in JSC when we declare a Function Object with a special characters as params.

Version: 235121
O.S: MacOS High Sierra Version 10.13.6

step to reproduce:
assertThrowsValue(() => Function("@", { toString() { throw 42; } }), 42);

atual result: 
SyntaxError: Invalid character: '@'

expected result:
pass without failures

V8, Chakra and SpiderMonkey works as expected 

cinfuzz
Comment 1 Yusuke Suzuki 2018-08-24 23:32:42 PDT 
Created attachment 348075 [details]
Patch
Comment 2 Darin Adler 2018-08-25 17:23:50 PDT 
Comment on attachment 348075 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=348075&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        ToString operation onto the `body` of the Function constructor should be performed
> +        before checking syntax correctness of the parameters.

I have no doubt that this is better, but I wonder where these semantics are defined and tested unambiguously. There must be lots of other cases where the order of evaluation side effect is visible, and the new test covers just this one.
Comment 3 Saam Barati 2018-08-28 23:14:41 PDT 
(In reply to Darin Adler from comment #2)
> Comment on attachment 348075 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=348075&action=review
> 
> > Source/JavaScriptCore/ChangeLog:9
> > +        ToString operation onto the `body` of the Function constructor should be performed
> > +        before checking syntax correctness of the parameters.
> 
> I have no doubt that this is better, but I wonder where these semantics are
> defined and tested unambiguously. There must be lots of other cases where
> the order of evaluation side effect is visible, and the new test covers just
> this one.

It's defined here:
https://tc39.github.io/ecma262/#sec-createdynamicfunction

I agree that it would be nice to add some more tests that stress the order of evaluation, including the order of toString on the parameters.
Comment 4 Yusuke Suzuki 2018-09-01 01:02:58 PDT 
Comment on attachment 348075 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=348075&action=review

Thanks!

>>> Source/JavaScriptCore/ChangeLog:9
>>> +        before checking syntax correctness of the parameters.
>> 
>> I have no doubt that this is better, but I wonder where these semantics are defined and tested unambiguously. There must be lots of other cases where the order of evaluation side effect is visible, and the new test covers just this one.
> 
> It's defined here:
> https://tc39.github.io/ecma262/#sec-createdynamicfunction
> 
> I agree that it would be nice to add some more tests that stress the order of evaluation, including the order of toString on the parameters.

I've added the test checking the order of toString onto the arguments of Function constructor.
Comment 5 Yusuke Suzuki 2018-09-01 01:03:48 PDT 
Committed r235582: <https://trac.webkit.org/changeset/235582>
Comment 6 Radar WebKit Bug Importer 2018-09-01 01:04:17 PDT 
<rdar://problem/43989360>