Spread expressions are not fair game for direct binding
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Feb 2016 20:18:31 +0000 (20:18 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Feb 2016 20:18:31 +0000 (20:18 +0000)
commit8aa068a2e26aad64dd684a1f8d8beadb4ed3ebda
tree253711706ca2db3abd1a36c2e9f463d4c977d34e
parent4c56992d2eee81c0732c61600cd390debe404792
Spread expressions are not fair game for direct binding
https://bugs.webkit.org/show_bug.cgi?id=154042
rdar://problem/24291413

Reviewed by Saam Barati.

Prior to this change we crashed on this:

    var [x] = [...y];

Because NodesCodegen thinks that this is a direct binding.  It's not, because we cannot
directly generate bytecode for "...y".  This is a unique property of spread expressions, so
its sufficient to just bail out of direct binding if we see a spread expression. That's what
this patch does.

* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayPatternNode::emitDirectBinding):
* tests/stress/spread-in-tail.js: Added.
(foo):
(catch):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196323 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Source/JavaScriptCore/tests/stress/spread-in-tail.js [new file with mode: 0644]