2008-08-05 Cameron Zwarich <cwzwarich@uwaterloo.ca>

        Reviewed by Darin.

        Bug 20293: Crash in JavaScript codegen for eval("const a;")
        <https://bugs.webkit.org/show_bug.cgi?id=20293>

        Correctly handle constant declarations in eval code with no initializer.

        JavaScriptCore:

        * kjs/nodes.cpp:
        (KJS::ConstDeclNode::emitCodeSingle):

        LayoutTests:

        * fast/js/const-expected.txt:
        * fast/js/resources/const.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@35584 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 1cbe4994dc5eb206e798b914eeb18f0763d4676b..4fdaae51af726af3055566ac92587fadf7803b13 100644 (file)
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
+2008-08-05  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Darin.
+
+        Bug 20293: Crash in JavaScript codegen for eval("const a;")
+        <https://bugs.webkit.org/show_bug.cgi?id=20293>
+
+        Correctly handle constant declarations in eval code with no initializer.
+
+        * kjs/nodes.cpp:
+        (KJS::ConstDeclNode::emitCodeSingle):
+
 2008-08-05  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
 
         Reviewed by Oliver.

diff --git a/JavaScriptCore/kjs/nodes.cpp b/JavaScriptCore/kjs/nodes.cpp
index 0db8087c97009f7668d80f939e911076da20b09f..870aec959422fc700c6b960864a746220327cd3a 100644 (file)
--- a/JavaScriptCore/kjs/nodes.cpp
+++ b/JavaScriptCore/kjs/nodes.cpp
@@ -1015,7 +1015,7 @@ RegisterID* ConstDeclNode::emitCodeSingle(CodeGenerator& generator)
     // FIXME: While this code should only be hit in eval code, it will potentially
     // assign to the wrong base if m_ident exists in an intervening dynamic scope.
     RefPtr<RegisterID> base = generator.emitResolveBase(generator.newTemporary(), m_ident);
-    RegisterID* value = generator.emitNode(m_init.get());
+    RegisterID* value = m_init ? generator.emitNode(m_init.get()) : generator.emitLoad(generator.newTemporary(), jsUndefined());
     return generator.emitPutById(base.get(), m_ident, value);
 }
 

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 9d88f5eee6d552b688600e680ad36119091c0bde..01a9131e52c8718442ba26e414ed96e3f3d11c3a 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2008-08-05  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Darin.
+
+        Test for bug 20293: Crash in JavaScript codegen for eval("const a;")
+        <https://bugs.webkit.org/show_bug.cgi?id=20293>
+
+        * fast/js/const-expected.txt:
+        * fast/js/resources/const.js:
+
 2008-08-05  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
 
         Reviewed by Oliver.

diff --git a/LayoutTests/fast/js/const-expected.txt b/LayoutTests/fast/js/const-expected.txt
index 59fd8a55d6d0df63144989b54b4de28eb6628d0e..7ad664a5a74b45e836d8a09d46c66a10aab9749b 100644 (file)
--- a/LayoutTests/fast/js/const-expected.txt
+++ b/LayoutTests/fast/js/const-expected.txt
@@ -47,6 +47,7 @@ PASS object.inWith1 is 'RIGHT'
 PASS inWith2 is 'RIGHT'
 PASS (function(){ one = 2; return one; })() is 1
 PASS f() is f
+PASS const a; is undefined
 PASS successfullyParsed is true
 
 TEST COMPLETE

diff --git a/LayoutTests/fast/js/resources/const.js b/LayoutTests/fast/js/resources/const.js
index 4bade68af337ce972f6a27b1844d8f1fc6d651e6..a2dbe41c68b52065aa4ad9083811000cdb3aafa3 100644 (file)
--- a/LayoutTests/fast/js/resources/const.js
+++ b/LayoutTests/fast/js/resources/const.js
@@ -107,4 +107,6 @@ shouldBe("(function(){ one = 2; return one; })()", "1")
 var f = function g() { g="FAIL"; return g; };
 shouldBe("f()", "f");
 
+shouldBe("const a;", "undefined");
+
 var successfullyParsed = true;