Changeset 192586 in webkit

Timestamp:

Nov 18, 2015, 2:01:19 PM (10 years ago)

Author:

[email protected]

Message:

There is a bug when default parameter values are mixed with destructuring parameter values
​https://bugs.webkit.org/show_bug.cgi?id=151369

Reviewed by Geoffrey Garen and Mark Lam.

This patch changes our parser to no longer declare destructuring
parameters as "var"s. This is a weird bug that just happened
to work in a world without default parameter values. In a world with
default parameter values this is just completely wrong. It would
incorrectly transform this program:
function foo(a = function() { b = 40; }, {b}) { a(); return b; }; foo(undefined, {b: 42}); // Should return 40
into
function foo(a = function() { b = 40; }, {b}) { var b; a(); return b; }; foo(undefined, {b:42}); // Returns 42, not 40.
Which is wrong because we end up with two distinct bindings of "b" when
there should only be one.

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseVariableDeclarationList):
(JSC::Parser<LexerType>::createBindingPattern):
(JSC::Parser<LexerType>::parseDestructuringPattern):

• parser/Parser.h:

(JSC::Scope::declareParameter):
(JSC::Scope::getUsedVariables):
(JSC::Parser::strictMode):
(JSC::Parser::isValidStrictMode):
(JSC::Parser::declareParameter):
(JSC::Parser::breakIsValid):
(JSC::Scope::declareBoundParameter): Deleted.
(JSC::Parser::declareBoundParameter): Deleted.

• tests/stress/es6-default-parameters.js:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• parser/Parser.cpp (modified) (4 diffs)
• parser/Parser.h (modified) (3 diffs)
• tests/stress/es6-default-parameters.js (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-11-18  Saam barati  <[email protected]>
+
+        There is a bug when default parameter values are mixed with destructuring parameter values
+        https://bugs.webkit.org/show_bug.cgi?id=151369
+
+        Reviewed by Geoffrey Garen and Mark Lam.
+
+        This patch changes our parser to no longer declare destructuring
+        parameters as "var"s. This is a weird bug that just happened
+        to work in a world without default parameter values. In a world with
+        default parameter values this is just completely wrong. It would
+        incorrectly transform this program:
+        ```function foo(a = function() { b = 40; }, {b}) { a(); return b; }; foo(undefined, {b: 42}); // Should return 40```
+        into
+        ```function foo(a = function() { b = 40; }, {b}) { var b; a(); return b; }; foo(undefined, {b:42}); // Returns 42, not 40.```
+        Which is wrong because we end up with two distinct bindings of "b" when
+        there should only be one.
+
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseVariableDeclarationList):
+        (JSC::Parser<LexerType>::createBindingPattern):
+        (JSC::Parser<LexerType>::parseDestructuringPattern):
+        * parser/Parser.h:
+        (JSC::Scope::declareParameter):
+        (JSC::Scope::getUsedVariables):
+        (JSC::Parser::strictMode):
+        (JSC::Parser::isValidStrictMode):
+        (JSC::Parser::declareParameter):
+        (JSC::Parser::breakIsValid):
+        (JSC::Scope::declareBoundParameter): Deleted.
+        (JSC::Parser::declareBoundParameter): Deleted.
+        * tests/stress/es6-default-parameters.js:
+
 2015-11-17  Benjamin Poulain  <[email protected]>
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -668 +668 @@
 
 template <typename LexerType>
-template <class TreeBuilder> TreeDestructuringPattern Parser<LexerType>::createBindingPattern(TreeBuilder& context, DestructuringKind kind, ExportType exportType, const Identifier& name, int depth, JSToken token, AssignmentContext bindingContext, const Identifier** duplicateIdentifier)
+template <class TreeBuilder> TreeDestructuringPattern Parser<LexerType>::createBindingPattern(TreeBuilder& context, DestructuringKind kind, ExportType exportType, const Identifier& name, JSToken token, AssignmentContext bindingContext, const Identifier** duplicateIdentifier)
 {
     ASSERT(!name.isNull());
@@ -686 +686 @@
         }
     } else if (kind == DestructureToParameters) {
-        if (depth) {
-            auto bindingResult = declareBoundParameter(&name);
-            if (bindingResult == Scope::StrictBindingFailed && strictMode()) {
-                semanticFailIfTrue(isEvalOrArguments(&name), "Cannot destructure to a parameter name '", name.impl(), "' in strict mode");
-                if (m_lastFunctionName && name == *m_lastFunctionName)
-                    semanticFail("Cannot destructure to '", name.impl(), "' as it shadows the name of a strict mode function");
-                semanticFailureDueToKeyword("bound parameter name");
-                if (hasDeclaredParameter(name))
-                    semanticFail("Cannot destructure to '", name.impl(), "' as it has already been declared");
-                semanticFail("Cannot bind to a parameter named '", name.impl(), "' in strict mode");
-            }
-            if (bindingResult == Scope::BindingFailed) {
-                semanticFailureDueToKeyword("bound parameter name");
-                if (hasDeclaredParameter(name))
-                    semanticFail("Cannot destructure to '", name.impl(), "' as it has already been declared");
-                semanticFail("Cannot destructure to a parameter named '", name.impl(), "'");
-            }
-        } else {
-            DeclarationResultMask declarationResult = declareParameter(&name);
-            if ((declarationResult & DeclarationResult::InvalidStrictMode) && strictMode()) {
-                semanticFailIfTrue(isEvalOrArguments(&name), "Cannot destructure to a parameter name '", name.impl(), "' in strict mode");
-                if (m_lastFunctionName && name == *m_lastFunctionName)
-                    semanticFail("Cannot declare a parameter named '", name.impl(), "' as it shadows the name of a strict mode function");
-                semanticFailureDueToKeyword("parameter name");
-                if (hasDeclaredParameter(name))
-                    semanticFail("Cannot declare a parameter named '", name.impl(), "' in strict mode as it has already been declared");
-                semanticFail("Cannot declare a parameter named '", name.impl(), "' in strict mode");
-            }
-            if (declarationResult & DeclarationResult::InvalidDuplicateDeclaration) {
-                // It's not always an error to define a duplicate parameter.
-                // It's only an error when there are default parameter values or destructuring parameters.
-                // We note this value now so we can check it later.
-                if (duplicateIdentifier)
-                    *duplicateIdentifier = &name;
-            }
+        DeclarationResultMask declarationResult = declareParameter(&name);
+        if ((declarationResult & DeclarationResult::InvalidStrictMode) && strictMode()) {
+            semanticFailIfTrue(isEvalOrArguments(&name), "Cannot destructure to a parameter name '", name.impl(), "' in strict mode");
+            if (m_lastFunctionName && name == *m_lastFunctionName)
+                semanticFail("Cannot declare a parameter named '", name.impl(), "' as it shadows the name of a strict mode function");
+            semanticFailureDueToKeyword("parameter name");
+            if (hasDeclaredParameter(name))
+                semanticFail("Cannot declare a parameter named '", name.impl(), "' in strict mode as it has already been declared");
+            semanticFail("Cannot declare a parameter named '", name.impl(), "' in strict mode");
+        }
+        if (declarationResult & DeclarationResult::InvalidDuplicateDeclaration) {
+            // It's not always an error to define a duplicate parameter.
+            // It's only an error when there are default parameter values or destructuring parameters.
+            // We note this value now so we can check it later.
+            if (duplicateIdentifier)
+                *duplicateIdentifier = &name;
         }
     }
@@ -880 +861 @@
                     innerPattern = parseBindingOrAssignmentElement(context, kind, exportType, duplicateIdentifier, hasDestructuringPattern, bindingContext, depth + 1);
                 else
-                    innerPattern = createBindingPattern(context, kind, exportType, *propertyName, depth + 1, identifierToken, bindingContext, duplicateIdentifier);
+                    innerPattern = createBindingPattern(context, kind, exportType, *propertyName, identifierToken, bindingContext, duplicateIdentifier);
             } else {
                 JSTokenType tokenType = m_token.m_type;
@@ -936 +917 @@
         }
         failIfTrue(match(LET) && (kind == DestructureToLet || kind == DestructureToConst), "Can't use 'let' as an identifier name for a LexicalDeclaration");
-        pattern = createBindingPattern(context, kind, exportType, *m_token.m_data.ident, depth, m_token, bindingContext, duplicateIdentifier);
+        pattern = createBindingPattern(context, kind, exportType, *m_token.m_data.ident, m_token, bindingContext, duplicateIdentifier);
         next();
         break;

trunk/Source/JavaScriptCore/parser/Parser.h

@@ -425 +425 @@
     }
     
-    enum BindingResult {
-        BindingFailed,
-        StrictBindingFailed,
-        BindingSucceeded
-    };
-    BindingResult declareBoundParameter(const Identifier* ident)
-    {
-        bool isArgumentsIdent = isArguments(m_vm, ident);
-        auto addResult = m_declaredVariables.add(ident->impl());
-        addResult.iterator->value.setIsVar(); // Treat destructuring parameters as "var"s.
-        bool isValidStrictMode = addResult.isNewEntry && !isEval(m_vm, ident) && !isArgumentsIdent;
-        m_isValidStrictMode = m_isValidStrictMode && isValidStrictMode;
-    
-        if (isArgumentsIdent)
-            m_shadowsArguments = true;
-        if (!addResult.isNewEntry)
-            return BindingFailed;
-        return isValidStrictMode ? BindingSucceeded : StrictBindingFailed;
-    }
-
     void getUsedVariables(IdentifierSet& usedVariables)
     {
@@ -1055 +1035 @@
     bool isValidStrictMode() { return currentScope()->isValidStrictMode(); }
     DeclarationResultMask declareParameter(const Identifier* ident) { return currentScope()->declareParameter(ident); }
-    Scope::BindingResult declareBoundParameter(const Identifier* ident) { return currentScope()->declareBoundParameter(ident); }
     bool breakIsValid()
     {
@@ -1160 +1139 @@
     template <class TreeBuilder> TreeSourceElements parseArrowFunctionSingleExpressionBodySourceElements(TreeBuilder&);
     template <class TreeBuilder> TreeExpression parseArrowFunctionExpression(TreeBuilder&);
-    template <class TreeBuilder> NEVER_INLINE TreeDestructuringPattern createBindingPattern(TreeBuilder&, DestructuringKind, ExportType, const Identifier&, int depth, JSToken, AssignmentContext, const Identifier** duplicateIdentifier);
+    template <class TreeBuilder> NEVER_INLINE TreeDestructuringPattern createBindingPattern(TreeBuilder&, DestructuringKind, ExportType, const Identifier&, JSToken, AssignmentContext, const Identifier** duplicateIdentifier);
     template <class TreeBuilder> NEVER_INLINE TreeDestructuringPattern createAssignmentElement(TreeBuilder&, TreeExpression&, const JSTextPosition&, const JSTextPosition&);
     template <class TreeBuilder> NEVER_INLINE TreeDestructuringPattern parseBindingOrAssignmentElement(TreeBuilder& context, DestructuringKind, ExportType, const Identifier** duplicateIdentifier, bool* hasDestructuringPattern, AssignmentContext bindingContext, int depth);

trunk/Source/JavaScriptCore/tests/stress/es6-default-parameters.js

@@ -236 +236 @@
 
 
+// Test proper variable binding.
+;(function() {
+    function foo(a = function() { return b; }, {b}) {
+        assert(a() === 34);
+        assert(b === 34);
+        b = 50;
+        assert(a() === 50);
+        assert(b === 50);
+    }
+    function bar(a = function(x) { b = x; }, {b}) {
+        assert(b === 34);
+        a(50);
+        assert(b === 50);
+    }
+    function baz(f1 = function(x) { b = x; }, f2 = function() { return b; }, {b}) {
+        var b;
+        assert(b === 34);
+        assert(f2() === 34);
+        f1(50);
+        assert(b === 34);
+        assert(f2() === 50);
+    }
+    noInline(foo);
+    noInline(bar);
+    noInline(baz);
+    for (let i = 0; i < 1000; i++) {
+        foo(undefined, {b: 34});
+        bar(undefined, {b: 34});
+        baz(undefined, undefined, {b: 34});
+    }
+})();
+
 
 // Syntax errors.