Scopes that are not under TDZ should still push their variables onto the TDZ stack...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 2 Jul 2016 17:43:56 +0000 (17:43 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 2 Jul 2016 17:43:56 +0000 (17:43 +0000)
commit59fe4a43cb8a3005d67252247d7b79e78be4f252
tree0117e88c0613d26b7cffa67e1068fe13c272f147
parentdd19fed3c126a3ecbe689627a92a2015cad1268b
Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope
https://bugs.webkit.org/show_bug.cgi?id=159332
rdar://problem/27018958

Reviewed by Saam Barati.

This fixes an instacrash in this code:

    try{}catch(e){}print(e);let e;

We lift TDZ for "e" in "catch (e){}", but since that scope doesn't push anything onto the
TDZ stack, we lift TDZ from "let e".

The problem is that we weren't tracking the set of variables that do not have TDZ. We need
to track them to "block" the traversal that lifts TDZ. This change fixes this issue by
using a map that tracks all known variables, and tells you if they are under TDZ or not.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::numParameters):
* bytecode/CodeOrigin.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::Label::setLocation):
(JSC::Variable::dump):
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::pushLexicalScopeInternal):
(JSC::BytecodeGenerator::popLexicalScope):
(JSC::BytecodeGenerator::popLexicalScopeInternal):
(JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
(JSC::BytecodeGenerator::variable):
(JSC::BytecodeGenerator::needsTDZCheck):
(JSC::BytecodeGenerator::liftTDZCheckIfPossible):
(JSC::BytecodeGenerator::pushTDZVariables):
(JSC::BytecodeGenerator::getVariablesUnderTDZ):
(JSC::BytecodeGenerator::endGenerator):
(WTF::printInternal):
* bytecompiler/BytecodeGenerator.h:
(JSC::Variable::isConst):
(JSC::Variable::setIsReadOnly):
* interpreter/CallFrame.h:
(JSC::ExecState::topOfFrame):
* tests/stress/lift-tdz-bypass-catch.js: Added.
(foo):
(catch):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202778 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/CodeOrigin.h
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
Source/JavaScriptCore/interpreter/CallFrame.h
Source/JavaScriptCore/tests/stress/lift-tdz-bypass-catch.js [new file with mode: 0644]
Source/WTF/benchmarks/LockFairnessTest.cpp