RESOLVED FIXED 199395
Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code 
https://bugs.webkit.org/show_bug.cgi?id=199395
Summary Exception from For..of loop destructured assignment eliminates TDZ checks in ...
Michael Saboff
Reported 2019-07-01 21:20:21 PDT
If the assignment in a for..of loop header throws an exception before the actual assignment, the TDZ check for the variable doesn't happen and subsequent access to the variable will fail.
Attachments
Patch (3.39 KB, patch)
2019-07-01 21:31 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Updated ChangeLog (3.72 KB, patch)
2019-07-02 07:59 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2019-07-01 21:20:38 PDT
<rdar://problem/52452341>
Michael Saboff
Comment 2 2019-07-01 21:31:08 PDT
Created attachment 373303 [details] Patch
Saam Barati
Comment 3 2019-07-01 21:52:17 PDT
Comment on attachment 373303 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=373303&action=review > Source/JavaScriptCore/ChangeLog:10 > + By saving the current state of the TDZ stack before processing the setting of > + the target values and then restoring afterwards, we won't optimize out > + future TDZ checks. Where were we missing the TDZ check? Does this make it so we emit TDZ checks for "use" in something like "for (let o of arr) { use(o); }"
Michael Saboff
Comment 4 2019-07-02 07:48:08 PDT
(In reply to Saam Barati from comment #3) > Comment on attachment 373303 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=373303&action=review > > > Source/JavaScriptCore/ChangeLog:10 > > + By saving the current state of the TDZ stack before processing the setting of > > + the target values and then restoring afterwards, we won't optimize out > > + future TDZ checks. > > Where were we missing the TDZ check? Does this make it so we emit TDZ checks > for "use" in something like "for (let o of arr) { use(o); }" We were missing TDZ checks in the case where the LHS of the for..of was a destructuring. We will emit TDZ checks in two other cases where the LHS is a coercible assignment, for..in and a straight destructuring assignment. I'll add that this is only for destructuring assignments to the change log. This change doesn't emit any different code for your example.
Michael Saboff
Comment 5 2019-07-02 07:59:10 PDT
Created attachment 373322 [details] Updated ChangeLog I also updated the bug title to include that this is for destructured assignments.
Michael Saboff
Comment 6 2019-07-02 23:01:14 PDT
Committed r247088: <https://trac.webkit.org/changeset/247088>
Note You need to log in before you can comment on or make changes to this bug.