Context Navigation

← Previous Change
Next Change →

bytecompiler

Timestamp:

Jun 13, 2021, 11:29:46 AM (4 years ago)

Author:

[email protected]

Message:

https://bugs.webkit.org/show_bug.cgi?id=226576
<rdar://problem/78810362>

Reviewed by Yusuke Suzuki.

JSTests:

stress/short-circuit-read-modify-write-cant-write-dst-before-tdz-check.js: Added.

(let.result.eval.try.captureV):
(catch):

Source/JavaScriptCore:

ShortCircuitReadModifyResolveNode can't emit a value into
its result until after it emits a TDZ check. We were temporarily
storing the result of the get_from_scope into the dst. Then
we'd emit the TDZ check. The TDZ check can throw, and it could
lead to us returning TDZ from the eval itself. Instead, we need
to use a temporary to emit a TDZ check on. Only after the TDZ check
passes can we move the temporary into the result.

bytecompiler/NodesCodegen.cpp:

(JSC::ShortCircuitReadModifyResolveNode::emitBytecode):

File:

: 1 edited

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

-              r278591
+              r278819
     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
     RefPtr<RegisterID> result = generator.tempDestination(dst);
     generator.emitGetFromScope(result.get(), scope.get(), var, ThrowIfNotFound);
     generator.emitTDZCheckIfNecessary(var, result.get(), nullptr);
+    RefPtr<RegisterID> uncheckedResult = generator.newTemporary();
+    generator.emitGetFromScope(uncheckedResult.get(), scope.get(), var, ThrowIfNotFound);
+    generator.emitTDZCheckIfNecessary(var, uncheckedResult.get(), nullptr);
     Ref<Label> afterAssignment = generator.newLabel();
     emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
     generator.emitNode(result.get(), m_right); // Execute side effects first.
+    emitShortCircuitAssignment(generator, uncheckedResult.get(), m_operator, afterAssignment.get());
+    generator.emitNode(uncheckedResult.get(), m_right); // Execute side effects first.
     bool threwException = isReadOnly ? generator.emitReadOnlyExceptionIfNeeded(var) : false;
 …
     if (!isReadOnly) {
         result = generator.emitPutToScope(scope.get(), var, result.get(), ThrowIfNotFound, InitializationMode::NotInitialization);
         generator.emitProfileType(result.get(), var, divotStart(), divotEnd());
+        generator.emitPutToScope(scope.get(), var, uncheckedResult.get(), ThrowIfNotFound, InitializationMode::NotInitialization);
+        generator.emitProfileType(uncheckedResult.get(), var, divotStart(), divotEnd());
+    }
     generator.emitLabel(afterAssignment.get());
     return generator.move(dst, result.get());
+    return generator.move(generator.finalDestination(dst, uncheckedResult.get()), uncheckedResult.get());
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 278819 in webkit for trunk/Source/JavaScriptCore/bytecompiler

Legend:

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

Download in other formats: