Diff - e8caec4b8a8d065da3f8de9b86029778c6d452d3^! - WebKit

commit	e8caec4b8a8d065da3f8de9b86029778c6d452d3	[log] [tgz]
author	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Mar 31 19:42:56 2015 +0000
committer	rniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue Mar 31 19:42:56 2015 +0000
tree	10df600245e8fe0b60b0d9ab973696dc2c75e928
parent	bb06ff23cb180c7e5a80b2fb14e680b1a025a149 [diff] [blame]

eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor https://bugs.webkit.org/show_bug.cgi?id=142883 Reviewed by Filip Pizlo. The crash was caused by eval inside the constructor of a derived class not checking TDZ. Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this" in eval inside a derived class' constructor. * bytecode/EvalCodeCache.h: (JSC::EvalCodeCache::getSlow): * bytecompiler/NodesCodegen.cpp: (JSC::ThisNode::emitBytecode): * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluate): * interpreter/Interpreter.cpp: (JSC::eval): * parser/ASTBuilder.h: (JSC::ASTBuilder::thisExpr): * parser/NodeConstructors.h: (JSC::ThisNode::ThisNode): * parser/Nodes.h: * parser/Parser.cpp: (JSC::Parser<LexerType>::Parser): (JSC::Parser<LexerType>::parsePrimaryExpression): * parser/Parser.h: (JSC::parse): * parser/ParserModes.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::thisExpr): * runtime/CodeCache.cpp: (JSC::CodeCache::getGlobalCodeBlock): (JSC::CodeCache::getProgramCodeBlock): (JSC::CodeCache::getEvalCodeBlock): * runtime/CodeCache.h: (JSC::SourceCodeKey::SourceCodeKey): * runtime/Executable.cpp: (JSC::EvalExecutable::create): * runtime/Executable.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::createEvalCodeBlock): * runtime/JSGlobalObject.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * tests/stress/class-syntax-no-tdz-in-eval.js: Added. * tests/stress/class-syntax-tdz-in-eval.js: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@182198 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp index 003ee40..4f7476c 100644 --- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp +++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -144,7 +144,7 @@ RegisterID* ThisNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst) { - if (generator.constructorKind() == ConstructorKind::Derived) + if (m_shouldAlwaysEmitTDZCheck || generator.constructorKind() == ConstructorKind::Derived) generator.emitTDZCheck(generator.thisRegister()); if (dst == generator.ignoredResult())