Changeset 271265 in webkit for trunk/Source/JavaScriptCore/bytecompiler

Timestamp:

Jan 7, 2021, 3:17:44 PM (4 years ago)

Author:

[email protected]

Message:

[JSC] New expression and value function call should reserve function register if arguments include assignments
​https://bugs.webkit.org/show_bug.cgi?id=220429
<rdar://problem/70598359>

Reviewed by Alexey Shvayka.

JSTests:

• stress/comma-value-func-call-resolve.js: Added.

(shouldBe):
(fn.x):
(fn):

• stress/construct-overwritten-variable.js:

(shouldThrow):
(new.x.x): Deleted.

• stress/construct-spread-overwritten-variable-2.js:

(shouldThrow):
(new.x.x): Deleted.

• stress/construct-spread-overwritten-variable.js:

(shouldThrow):
(new.x.x): Deleted.

• stress/destructuring-func-call-resolve.js: Added.

(shouldBe):
(fn.x):
(fn):
(fn2.x):
(fn2):

• stress/resolve-func-call-resolve.js: Added.

(shouldBe):
(fn.x):
(fn):

• stress/tagged-template-call-resolve.js: Added.

(shouldBe):
(fn.x):
(fn):

• test262/expectations.yaml:

Source/JavaScriptCore:

If the following code is executed, we need to reserve |x| before evaluating arguments since arguments can override
local |x| variable before calling it.

new x(x = 1)

We found there are two places we are not doing this.

1. new expression
2. function value call (it is checking isLocation(), but we can still use local variables for function if we use comma expression)

We introduced hasAssignment flag to ArgumentsNode, and reserve a function in a new temporary register if arguments include assignments.
We also need to increment assignmentCount in destructuring assignment.

• bytecompiler/NodesCodegen.cpp:

(JSC::NewExprNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):

• parser/ASTBuilder.h:

(JSC::ASTBuilder::createArguments):

• parser/NodeConstructors.h:

(JSC::ArgumentsNode::ArgumentsNode):

• parser/Nodes.h:
• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseArguments):

• parser/SyntaxChecker.h:

(JSC::SyntaxChecker::createArguments):

File:

• trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -980 +980 @@
     else
         expectedFunction = NoExpectedFunction;
-    RefPtr<RegisterID> func = generator.emitNode(m_expr);
+
+    RefPtr<RegisterID> func = nullptr;
+    if (m_args && m_args->hasAssignments())
+        func = generator.newTemporary();
+    func = generator.emitNode(func.get(), m_expr);
     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
     CallArguments callArguments(generator, m_args);
@@ -1101 +1105 @@
     }
 
-    RefPtr<RegisterID> func = generator.emitNode(m_expr);
+    RefPtr<RegisterID> func = nullptr;
+    if (m_args && m_args->hasAssignments())
+        func = generator.newTemporary();
+    func = generator.emitNode(func.get(), m_expr);
     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
     if (isOptionalChainBase())