If the assignment in a for..of loop header throws an exception before the actual assignment, the TDZ check for the variable doesn't happen and subsequent access to the variable will fail.
<rdar://problem/52452341>
Created attachment 373303 [details] Patch
Comment on attachment 373303 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=373303&action=review > Source/JavaScriptCore/ChangeLog:10 > + By saving the current state of the TDZ stack before processing the setting of > + the target values and then restoring afterwards, we won't optimize out > + future TDZ checks. Where were we missing the TDZ check? Does this make it so we emit TDZ checks for "use" in something like "for (let o of arr) { use(o); }"
(In reply to Saam Barati from comment #3) > Comment on attachment 373303 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=373303&action=review > > > Source/JavaScriptCore/ChangeLog:10 > > + By saving the current state of the TDZ stack before processing the setting of > > + the target values and then restoring afterwards, we won't optimize out > > + future TDZ checks. > > Where were we missing the TDZ check? Does this make it so we emit TDZ checks > for "use" in something like "for (let o of arr) { use(o); }" We were missing TDZ checks in the case where the LHS of the for..of was a destructuring. We will emit TDZ checks in two other cases where the LHS is a coercible assignment, for..in and a straight destructuring assignment. I'll add that this is only for destructuring assignments to the change log. This change doesn't emit any different code for your example.
Created attachment 373322 [details] Updated ChangeLog I also updated the bug title to include that this is for destructured assignments.
Committed r247088: <https://trac.webkit.org/changeset/247088>