[JSC] New expression and value function call should reserve function register if arguments include assignments
https://bugs.webkit.org/show_bug.cgi?id=220429
<rdar://problem/70598359>
Reviewed by Alexey Shvayka.
JSTests:
- stress/comma-value-func-call-resolve.js: Added.
(shouldBe):
(fn.x):
(fn):
- stress/construct-overwritten-variable.js:
(shouldThrow):
(new.x.x): Deleted.
- stress/construct-spread-overwritten-variable-2.js:
(shouldThrow):
(new.x.x): Deleted.
- stress/construct-spread-overwritten-variable.js:
(shouldThrow):
(new.x.x): Deleted.
- stress/destructuring-func-call-resolve.js: Added.
(shouldBe):
(fn.x):
(fn):
(fn2.x):
(fn2):
- stress/resolve-func-call-resolve.js: Added.
(shouldBe):
(fn.x):
(fn):
- stress/tagged-template-call-resolve.js: Added.
(shouldBe):
(fn.x):
(fn):
- test262/expectations.yaml:
Source/JavaScriptCore:
If the following code is executed, we need to reserve |x| before evaluating arguments since arguments can override
local |x| variable before calling it.
new x(x = 1)
We found there are two places we are not doing this.
- new expression
- function value call (it is checking
isLocation(), but we can still use local variables for function if we use comma expression)
We introduced hasAssignment flag to ArgumentsNode, and reserve a function in a new temporary register if arguments include assignments.
We also need to increment assignmentCount in destructuring assignment.
- bytecompiler/NodesCodegen.cpp:
(JSC::NewExprNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::ASTBuilder::createArguments):
- parser/NodeConstructors.h:
(JSC::ArgumentsNode::ArgumentsNode):
- parser/Nodes.h:
- parser/Parser.cpp:
(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseArguments):
(JSC::SyntaxChecker::createArguments):
