Changeset 216891 in webkit

Timestamp:

May 15, 2017, 5:21:59 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
​https://bugs.webkit.org/show_bug.cgi?id=172147

Rubber-stamped by Saam Barati.

JSTests:

• stress/object-rest-deconstruct.js: Removed.
• stress/object-spread.js: Removed.

Source/JavaScriptCore:

I rolled out every thing in those 2 patches except for the change to make
CodeBlock::finishCreation() return a bool plus its clients that depend on this.
I made this exception because r214931 relies on this change, and this part of
the change looks correct.

• builtins/BuiltinNames.h:
• builtins/GlobalOperations.js:

(globalPrivate.speciesConstructor):
(globalPrivate.copyDataProperties): Deleted.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.

• bytecode/CodeBlock.h:
• bytecode/UnlinkedCodeBlock.h:

(JSC::UnlinkedCodeBlock::addBitVector):
(JSC::UnlinkedCodeBlock::constantRegisters):
(JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
(JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.

• bytecompiler/BytecodeGenerator.cpp:
• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::PropertyListNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue):
(JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.

• parser/ASTBuilder.h:

(JSC::ASTBuilder::createProperty):
(JSC::ASTBuilder::appendObjectPatternEntry):
(JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
(JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
(JSC::ASTBuilder::setContainsObjectRestElement): Deleted.

• parser/NodeConstructors.h:

(JSC::PropertyNode::PropertyNode):
(JSC::SpreadExpressionNode::SpreadExpressionNode):
(JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.

• parser/Nodes.h:

(JSC::ObjectPatternNode::appendEntry):
(JSC::ObjectSpreadExpressionNode::expression): Deleted.
(JSC::ObjectPatternNode::setContainsRestElement): Deleted.

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseProperty):

• parser/SyntaxChecker.h:

(JSC::SyntaxChecker::createSpreadExpression):
(JSC::SyntaxChecker::createProperty):
(JSC::SyntaxChecker::operatorStackPop):
(JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.

• runtime/ObjectConstructor.cpp:

(JSC::ObjectConstructor::finishCreation):

• runtime/SetPrototype.cpp:

(JSC::SetPrototype::finishCreation):

Source/WTF:

• wtf/HashSet.h:

(WTF::=):

LayoutTests:

• js/parser-syntax-check-expected.txt:
• js/script-tests/parser-syntax-check.js:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/object-rest-deconstruct.js (deleted)
• JSTests/stress/object-spread.js (deleted)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/parser-syntax-check-expected.txt (modified) (2 diffs)
• LayoutTests/js/script-tests/parser-syntax-check.js (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/builtins/BuiltinNames.h (modified) (1 diff)
• Source/JavaScriptCore/builtins/GlobalOperations.js (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h (modified) (5 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (5 diffs)
• Source/JavaScriptCore/parser/ASTBuilder.h (modified) (4 diffs)
• Source/JavaScriptCore/parser/NodeConstructors.h (modified) (2 diffs)
• Source/JavaScriptCore/parser/Nodes.h (modified) (5 diffs)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (4 diffs)
• Source/JavaScriptCore/parser/SyntaxChecker.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/SetPrototype.cpp (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/HashSet.h (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-05-15  Mark Lam  <mark.lam@apple.com>
+
+        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
+        https://bugs.webkit.org/show_bug.cgi?id=172147
+
+        Rubber-stamped by Saam Barati.
+
+        * stress/object-rest-deconstruct.js: Removed.
+        * stress/object-spread.js: Removed.
+
 2017-05-11  JF Bastien  <jfbastien@apple.com>
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-05-15  Mark Lam  <mark.lam@apple.com>
+
+        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
+        https://bugs.webkit.org/show_bug.cgi?id=172147
+
+        Rubber-stamped by Saam Barati.
+
+        * js/parser-syntax-check-expected.txt:
+        * js/script-tests/parser-syntax-check.js:
+
 2017-05-15  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/js/parser-syntax-check-expected.txt

@@ -1168 +1168 @@
 PASS Invalid: "var [...y, ...z] = 20". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing ']' following a rest element destructuring pattern."
 PASS Invalid: "function f() { var [...y, ...z] = 20 }". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing ']' following a rest element destructuring pattern."
-PASS Valid:   "var [...{...y}] = 20" with TypeError
-PASS Valid:   "function f() { var [...{...y}] = 20 }"
-PASS Valid:   "var {a, b, ...r} = {a: 1, b: 2, c: 3};"
-PASS Valid:   "function f() { var {a, b, ...r} = {a: 1, b: 2, c: 3}; }"
-PASS Valid:   "var {a, b, ...{d}} = {a: 1, b: 2, c: 3, d: 4};"
-PASS Valid:   "function f() { var {a, b, ...{d}} = {a: 1, b: 2, c: 3, d: 4}; }"
-PASS Valid:   "var {a, b, ...{d = 15}} = {a: 1, b: 2, c: 3, d: 4};"
-PASS Valid:   "function f() { var {a, b, ...{d = 15}} = {a: 1, b: 2, c: 3, d: 4}; }"
-PASS Valid:   "var {a, b, ...{d = 15, ...r}} = {a: 1, b: 2, c: 3, d: 4};"
-PASS Valid:   "function f() { var {a, b, ...{d = 15, ...r}} = {a: 1, b: 2, c: 3, d: 4}; }"
-PASS Valid:   "(({a, b, ...r}) => {})({a: 1, b: 2, c: 3, d: 4});"
-PASS Valid:   "function f() { (({a, b, ...r}) => {})({a: 1, b: 2, c: 3, d: 4}); }"
-PASS Valid:   "(function ({a, b, ...r}) {})({a: 1, b: 2, c: 3, d: 4});"
-PASS Valid:   "function f() { (function ({a, b, ...r}) {})({a: 1, b: 2, c: 3, d: 4}); }"
-PASS Valid:   "var a, b, c; ({a, b, ...r} = {a: 1, b: 2, c: 3, d: 4});"
-PASS Valid:   "function f() { var a, b, c; ({a, b, ...r} = {a: 1, b: 2, c: 3, d: 4}); }"
-PASS Valid:   "function * foo(o) { ({...{ x = yield }} = o); }"
-PASS Valid:   "function f() { function * foo(o) { ({...{ x = yield }} = o); } }"
-PASS Valid:   "let c = {}; let o = {a: 1, b: 2, ...c};"
-PASS Valid:   "function f() { let c = {}; let o = {a: 1, b: 2, ...c}; }"
-PASS Valid:   "let o = {a: 1, b: 3, ...{}};"
-PASS Valid:   "function f() { let o = {a: 1, b: 3, ...{}}; }"
-PASS Valid:   "let o = {a: 1, b: 2, ...null, c: 3};"
-PASS Valid:   "function f() { let o = {a: 1, b: 2, ...null, c: 3}; }"
-PASS Valid:   "let o = {a: 1, b: 2, ...undefined, c: 3};"
-PASS Valid:   "function f() { let o = {a: 1, b: 2, ...undefined, c: 3}; }"
-PASS Valid:   "let o = {a: 1, b: 2, ...{...{}}, c: 3};"
-PASS Valid:   "function f() { let o = {a: 1, b: 2, ...{...{}}, c: 3}; }"
-PASS Valid:   "let c = {}; let o = {a: 1, b: 2, ...c, d: 3, ...c, e: 5};"
-PASS Valid:   "function f() { let c = {}; let o = {a: 1, b: 2, ...c, d: 3, ...c, e: 5}; }"
-PASS Valid:   "function* gen() { yield {a: 1, b: 2, ...yield yield, d: 3, ...yield, e: 5}; }"
-PASS Valid:   "function f() { function* gen() { yield {a: 1, b: 2, ...yield yield, d: 3, ...yield, e: 5}; } }"
-PASS Invalid: "var {...r = {a: 2}} = {a: 1, b: 2};". Produced the following syntax error: "SyntaxError: Unexpected token '='. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "function f() { var {...r = {a: 2}} = {a: 1, b: 2}; }". Produced the following syntax error: "SyntaxError: Unexpected token '='. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "var {...r, b} = {a: 1, b: 2};". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "function f() { var {...r, b} = {a: 1, b: 2}; }". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "var {...r, ...e} = {a: 1, b: 2};". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "function f() { var {...r, ...e} = {a: 1, b: 2}; }". Produced the following syntax error: "SyntaxError: Unexpected token ','. Expected a closing '}' following a rest element destructuring pattern."
-PASS Invalid: "function * (o) { ({ ...{ x: yield } } = o); }". Produced the following syntax error: "SyntaxError: Unexpected token '('"
-PASS Invalid: "function f() { function * (o) { ({ ...{ x: yield } } = o); } }". Produced the following syntax error: "SyntaxError: Unexpected token '('"
+PASS Invalid: "var [...{...y}] = 20". Produced the following syntax error: "SyntaxError: Unexpected token '...'. Expected a property name."
+PASS Invalid: "function f() { var [...{...y}] = 20 }". Produced the following syntax error: "SyntaxError: Unexpected token '...'. Expected a property name."
 Rest parameter
 PASS Valid:   "function foo(...a) { }"
@@ -1275 +1237 @@
 PASS Valid:   "let x = (a = 20, ...{b}) => { }"
 PASS Valid:   "function f() { let x = (a = 20, ...{b}) => { } }"
-PASS Valid:   "let x = (a = 20, ...{...b}) => { }"
-PASS Valid:   "function f() { let x = (a = 20, ...{...b}) => { } }"
+PASS Invalid: "let x = (a = 20, ...{...b}) => { }". Produced the following syntax error: "SyntaxError: Unexpected token '...'"
+PASS Invalid: "function f() { let x = (a = 20, ...{...b}) => { } }". Produced the following syntax error: "SyntaxError: Unexpected token '...'"
 PASS Invalid: "let x = (a = 20, ...{124}) => { }". Produced the following syntax error: "SyntaxError: Unexpected token '...'"
 PASS Invalid: "function f() { let x = (a = 20, ...{124}) => { } }". Produced the following syntax error: "SyntaxError: Unexpected token '...'"

trunk/LayoutTests/js/script-tests/parser-syntax-check.js

@@ -692 +692 @@
 valid("var {x: [y, {z: {z: [...z]}}]} = 20");
 invalid("var [...y, ...z] = 20");
-valid("var [...{...y}] = 20");
-valid("var {a, b, ...r} = {a: 1, b: 2, c: 3};");
-valid("var {a, b, ...{d}} = {a: 1, b: 2, c: 3, d: 4};");
-valid("var {a, b, ...{d = 15}} = {a: 1, b: 2, c: 3, d: 4};");
-valid("var {a, b, ...{d = 15, ...r}} = {a: 1, b: 2, c: 3, d: 4};");
-valid("(({a, b, ...r}) => {})({a: 1, b: 2, c: 3, d: 4});");
-valid("(function ({a, b, ...r}) {})({a: 1, b: 2, c: 3, d: 4});");
-valid("var a, b, c; ({a, b, ...r} = {a: 1, b: 2, c: 3, d: 4});");
-valid("function * foo(o) { ({...{ x = yield }} = o); }");
-valid("let c = {}; let o = {a: 1, b: 2, ...c};");
-valid("let o = {a: 1, b: 3, ...{}};");
-valid("let o = {a: 1, b: 2, ...null, c: 3};");
-valid("let o = {a: 1, b: 2, ...undefined, c: 3};");
-valid("let o = {a: 1, b: 2, ...{...{}}, c: 3};");
-valid("let c = {}; let o = {a: 1, b: 2, ...c, d: 3, ...c, e: 5};");
-valid("function* gen() { yield {a: 1, b: 2, ...yield yield, d: 3, ...yield, e: 5}; }");
-invalid("var {...r = {a: 2}} = {a: 1, b: 2};");
-invalid("var {...r, b} = {a: 1, b: 2};");
-invalid("var {...r, ...e} = {a: 1, b: 2};");
-invalid("function * (o) { ({ ...{ x: yield } } = o); }");
+invalid("var [...{...y}] = 20");
 
 debug("Rest parameter");
@@ -747 +728 @@
 valid("let x = (a = 20, ...[...[b = 40]]) => { }");
 valid("let x = (a = 20, ...{b}) => { }");
-valid("let x = (a = 20, ...{...b}) => { }");
+invalid("let x = (a = 20, ...{...b}) => { }");
 invalid("let x = (a = 20, ...{124}) => { }");
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-05-15  Mark Lam  <mark.lam@apple.com>
+
+        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
+        https://bugs.webkit.org/show_bug.cgi?id=172147
+
+        Rubber-stamped by Saam Barati.
+
+        I rolled out every thing in those 2 patches except for the change to make
+        CodeBlock::finishCreation() return a bool plus its clients that depend on this.
+        I made this exception because r214931 relies on this change, and this part of
+        the change looks correct.
+
+        * builtins/BuiltinNames.h:
+        * builtins/GlobalOperations.js:
+        (globalPrivate.speciesConstructor):
+        (globalPrivate.copyDataProperties): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::addBitVector):
+        (JSC::UnlinkedCodeBlock::constantRegisters):
+        (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
+        (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        (JSC::ObjectPatternNode::bindValue):
+        (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createProperty):
+        (JSC::ASTBuilder::appendObjectPatternEntry):
+        (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
+        (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
+        (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
+        * parser/NodeConstructors.h:
+        (JSC::PropertyNode::PropertyNode):
+        (JSC::SpreadExpressionNode::SpreadExpressionNode):
+        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
+        * parser/Nodes.h:
+        (JSC::ObjectPatternNode::appendEntry):
+        (JSC::ObjectSpreadExpressionNode::expression): Deleted.
+        (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseDestructuringPattern):
+        (JSC::Parser<LexerType>::parseProperty):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createSpreadExpression):
+        (JSC::SyntaxChecker::createProperty):
+        (JSC::SyntaxChecker::operatorStackPop):
+        (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
 2017-05-15  David Kilzer  <ddkilzer@apple.com>
 

trunk/Source/JavaScriptCore/builtins/BuiltinNames.h

@@ -160 +160 @@
     macro(stringSplitFast) \
     macro(stringSubstrInternal) \
-    macro(toObject) \
     macro(makeBoundFunction) \
     macro(hasOwnLengthProperty) \

trunk/Source/JavaScriptCore/builtins/GlobalOperations.js

@@ -80 +80 @@
     @throwTypeError("|this|.constructor[Symbol.species] is not a constructor");
 }
-
-@globalPrivate
-function copyDataProperties(target, source, excludedSet)
-{
-    if (!@isObject(target))
-        @throwTypeError("target needs to be an object");
-    
-    if (source == null)
-        return target;
-    
-    let from = @Object(source);
-    let keys = @Reflect.@ownKeys(from);
-    let keysLength = keys.length;
-    for (let i = 0; i < keysLength; i++) {
-        let nextKey = keys[i];
-        if (!excludedSet.@has(nextKey)) {
-            let desc = @Object.@getOwnPropertyDescriptor(from, nextKey);
-            if (desc.enumerable && desc !== @undefined) {
-                let propValue = from[nextKey];
-                @Object.@defineProperty(target, nextKey, {value: propValue, enumerable: true, writable: true, configurable: true});
-            }
-        }
-    }
-
-    return target;
-}

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -59 +59 @@
 #include "JSLexicalEnvironment.h"
 #include "JSModuleEnvironment.h"
-#include "JSSet.h"
-#include "JSString.h"
 #include "JSTemplateRegistryKey.h"
 #include "LLIntData.h"
@@ -408 +406 @@
     if (!setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation()))
         return false;
-    if (!setConstantIdentifierSetRegisters(vm, unlinkedCodeBlock->constantIdentifierSets()))
-        return false;
     if (unlinkedCodeBlock->usesGlobalObject())
         m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(*m_vm, this, m_globalObject.get());
@@ -866 +862 @@
     }
 #endif // ENABLE(JIT)
-}
-
-bool CodeBlock::setConstantIdentifierSetRegisters(VM& vm, const Vector<ConstantIndentifierSetEntry>& constants)
-{
-    auto scope = DECLARE_THROW_SCOPE(vm);
-    JSGlobalObject* globalObject = m_globalObject.get();
-    ExecState* exec = globalObject->globalExec();
-
-    for (const auto& entry : constants) {
-        Structure* setStructure = globalObject->setStructure();
-        RETURN_IF_EXCEPTION(scope, false);
-        JSSet* jsSet = JSSet::create(exec, vm, setStructure);
-        RETURN_IF_EXCEPTION(scope, false);
-
-        const IdentifierSet& set = entry.first;
-        for (auto& setEntry : set) {
-            JSString* jsString = jsOwnedString(&vm, setEntry.get());
-            jsSet->add(exec, JSValue(jsString));
-            RETURN_IF_EXCEPTION(scope, false);
-        }
-        m_constantRegisters[entry.second].set(vm, this, JSValue(jsSet));
-    }
-    return true;
 }
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -921 +921 @@
     void updateAllPredictionsAndCountLiveness(unsigned& numberOfLiveNonArgumentValueProfiles, unsigned& numberOfSamplesInProfiles);
 
-    bool setConstantIdentifierSetRegisters(VM&, const Vector<ConstantIndentifierSetEntry>& constants);
-
     bool setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation);
 

trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h

@@ -42 +42 @@
 #include "VariableEnvironment.h"
 #include "VirtualRegister.h"
-#include <algorithm>
 #include <wtf/BitVector.h>
-#include <wtf/HashSet.h>
 #include <wtf/TriState.h>
 #include <wtf/Vector.h>
-#include <wtf/text/UniquedStringImpl.h>
 
 namespace JSC {
@@ -69 +66 @@
 typedef unsigned UnlinkedObjectAllocationProfile;
 typedef unsigned UnlinkedLLIntCallLinkInfo;
-typedef std::pair<IdentifierSet, unsigned> ConstantIndentifierSetEntry;
 
 struct UnlinkedStringJumpTable {
@@ -187 +183 @@
         return m_bitVectors.size() - 1;
     }
-    
-    void addSetConstant(IdentifierSet& set)
-    {
-        VM& vm = *this->vm();
-        auto locker = lockDuringMarking(vm.heap, *this);
-        unsigned result = m_constantRegisters.size();
-        m_constantRegisters.append(WriteBarrier<Unknown>());
-        m_constantsSourceCodeRepresentation.append(SourceCodeRepresentation::Other);
-        m_constantIdentifierSets.append(ConstantIndentifierSetEntry(set, result));
-    }
 
     unsigned addConstant(JSValue v, SourceCodeRepresentation sourceCodeRepresentation = SourceCodeRepresentation::Other)
@@ -229 +215 @@
     }
     const Vector<WriteBarrier<Unknown>>& constantRegisters() { return m_constantRegisters; }
-    const Vector<ConstantIndentifierSetEntry>& constantIdentifierSets() { return m_constantIdentifierSets; }
     const WriteBarrier<Unknown>& constantRegister(int index) const { return m_constantRegisters[index - FirstConstantRegisterIndex]; }
     ALWAYS_INLINE bool isConstantRegisterIndex(int index) const { return index >= FirstConstantRegisterIndex; }
@@ -463 +448 @@
     Vector<BitVector> m_bitVectors;
     Vector<WriteBarrier<Unknown>> m_constantRegisters;
-    Vector<ConstantIndentifierSetEntry> m_constantIdentifierSets;
     Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation;
     typedef Vector<WriteBarrier<UnlinkedFunctionExecutable>> FunctionExpressionVector;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1952 +1952 @@
 }
 
-RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, IdentifierSet& set)
-{
-    for (const auto& entry : m_codeBlock->constantIdentifierSets()) {
-        if (entry.first != set)
-            continue;
-        
-        return &m_constantPoolRegisters[entry.second];
-    }
-    
-    unsigned index = m_nextConstantOffset;
-    m_constantPoolRegisters.append(FirstConstantRegisterIndex + m_nextConstantOffset);
-    ++m_nextConstantOffset;
-    m_codeBlock->addSetConstant(set);
-    RegisterID* m_setRegister = &m_constantPoolRegisters[index];
-    
-    if (dst)
-        return emitMove(dst, m_setRegister);
-    
-    return m_setRegister;
-}
-
 RegisterID* BytecodeGenerator::emitLoadGlobalObject(RegisterID* dst)
 {

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -588 +588 @@
         RegisterID* emitLoad(RegisterID* dst, const Identifier&);
         RegisterID* emitLoad(RegisterID* dst, JSValue, SourceCodeRepresentation = SourceCodeRepresentation::Other);
-        RegisterID* emitLoad(RegisterID* dst, IdentifierSet& excludedList);
         RegisterID* emitLoadGlobalObject(RegisterID* dst);
 

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -42 +42 @@
 #include "StackAlignment.h"
 #include <wtf/Assertions.h>
-#include <wtf/HashSet.h>
 #include <wtf/Threading.h>
 #include <wtf/text/StringBuilder.h>
-#include <wtf/text/UniquedStringImpl.h>
 
 using namespace WTF;
@@ -517 +515 @@
                 break;
             }
-            if (node->m_type & PropertyNode::Constant || node->m_type & PropertyNode::Spread)
+            if (node->m_type & PropertyNode::Constant)
                 continue;
 
@@ -538 +536 @@
             if (node->m_type & PropertyNode::Constant) {
                 emitPutConstantProperty(generator, dst, *node);
-                continue;
-            } else if (node->m_type & PropertyNode::Spread) {
-                generator.emitNode(dst, node->m_assign);
                 continue;
             }
@@ -4067 +4062 @@
 {
     generator.emitRequireObjectCoercible(rhs, ASCIILiteral("Right side of assignment cannot be destructured"));
-    
-    IdentifierSet excludedSet;
-
     for (const auto& target : m_targetPatterns) {
-        if (target.bindingType == BindingType::Element) {
-            RefPtr<RegisterID> temp = generator.newTemporary();
-            if (!target.propertyExpression) {
-                
-                // Should not emit get_by_id for indexed ones.
-                std::optional<uint32_t> optionalIndex = parseIndex(target.propertyName);
-                if (!optionalIndex)
-                    generator.emitGetById(temp.get(), rhs, target.propertyName);
-                else {
-                    RefPtr<RegisterID> pIndex = generator.emitLoad(nullptr, jsNumber(optionalIndex.value()));
-                    generator.emitGetByVal(temp.get(), rhs, pIndex.get());
-                }
-            } else {
-                RefPtr<RegisterID> propertyName = generator.emitNode(target.propertyExpression);
-                generator.emitGetByVal(temp.get(), rhs, propertyName.get());
+        RefPtr<RegisterID> temp = generator.newTemporary();
+        if (!target.propertyExpression) {
+            // Should not emit get_by_id for indexed ones.
+            std::optional<uint32_t> optionalIndex = parseIndex(target.propertyName);
+            if (!optionalIndex)
+                generator.emitGetById(temp.get(), rhs, target.propertyName);
+            else {
+                RefPtr<RegisterID> index = generator.emitLoad(nullptr, jsNumber(optionalIndex.value()));
+                generator.emitGetByVal(temp.get(), rhs, index.get());
             }
-            
-            if (UNLIKELY(m_containsRestElement))
-                excludedSet.add(target.propertyName.impl());
-            
-            if (target.defaultValue)
-                assignDefaultValueIfUndefined(generator, temp.get(), target.defaultValue);
-            target.pattern->bindValue(generator, temp.get());
         } else {
-            RefPtr<RegisterID> excludedSetReg = generator.emitLoad(generator.newTemporary(), excludedSet);
-        
-            RefPtr<RegisterID> newObject = generator.emitNewObject(generator.newTemporary());
-            
-            // load and call @copyDataProperties
-            auto var = generator.variable(generator.propertyNames().builtinNames().copyDataPropertiesPrivateName());
-            
-            RefPtr<RegisterID> scope = generator.newTemporary();
-            generator.moveToDestinationIfNeeded(scope.get(), generator.emitResolveScope(scope.get(), var));
-            RefPtr<RegisterID> copyDataProperties = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, ThrowIfNotFound);
-            
-            CallArguments args(generator, nullptr, 3);
-            unsigned argumentCount = 0;
-            generator.emitLoad(args.thisRegister(), jsUndefined());
-            generator.emitMove(args.argumentRegister(argumentCount++), newObject.get());
-            generator.emitMove(args.argumentRegister(argumentCount++), rhs);
-            generator.emitMove(args.argumentRegister(argumentCount++), excludedSetReg.get());
-
-            RefPtr<RegisterID> result = generator.newTemporary();
-            generator.emitCall(result.get(), copyDataProperties.get(), NoExpectedFunction, args, divot(), divotStart(), divotEnd(), DebuggableCall::No);
-            target.pattern->bindValue(generator, result.get());
-        }
+            RefPtr<RegisterID> propertyName = generator.emitNode(target.propertyExpression);
+            generator.emitGetByVal(temp.get(), rhs, propertyName.get());
+        }
+
+        if (target.defaultValue)
+            assignDefaultValueIfUndefined(generator, temp.get(), target.defaultValue);
+        target.pattern->bindValue(generator, temp.get());
     }
 }
@@ -4266 +4230 @@
 }
 
-RegisterID* ObjectSpreadExpressionNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
-{
-    RefPtr<RegisterID> src = generator.newTemporary();
-    generator.emitNode(src.get(), m_expression);
-    IdentifierSet excludedSet;
-    
-    RefPtr<RegisterID> excludedSetReg = generator.emitLoad(generator.newTemporary(), excludedSet);
-        
-    // load and call @copyDataProperties
-    auto var = generator.variable(generator.propertyNames().builtinNames().copyDataPropertiesPrivateName());
-    
-    RefPtr<RegisterID> scope = generator.newTemporary();
-    generator.moveToDestinationIfNeeded(scope.get(), generator.emitResolveScope(scope.get(), var));
-    RefPtr<RegisterID> copyDataProperties = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, ThrowIfNotFound);
-    
-    CallArguments args(generator, nullptr, 3);
-    unsigned argumentCount = 0;
-    generator.emitLoad(args.thisRegister(), jsUndefined());
-    generator.emitMove(args.argumentRegister(argumentCount++), dst);
-    generator.emitMove(args.argumentRegister(argumentCount++), src.get());
-    generator.emitMove(args.argumentRegister(argumentCount++), excludedSetReg.get());
-    
-    generator.emitCall(generator.newTemporary(), copyDataProperties.get(), NoExpectedFunction, args, divot(), divotStart(), divotEnd(), DebuggableCall::No);
-    
-    return 0;
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/parser/ASTBuilder.h

@@ -276 +276 @@
     }
 
-    ExpressionNode* createObjectSpreadExpression(const JSTokenLocation& location, ExpressionNode* expression, const JSTextPosition& start, const JSTextPosition& divot, const JSTextPosition& end)
-    {
-        auto node = new (m_parserArena) ObjectSpreadExpressionNode(location, expression);
-        setExceptionLocation(node, start, divot, end);
-        return node;
-    }
-
     TemplateStringNode* createTemplateString(const JSTokenLocation& location, const Identifier* cooked, const Identifier* raw)
     {
@@ -503 +496 @@
         return new (m_parserArena) PropertyNode(*propertyName, node, type, putType, superBinding, isClassProperty);
     }
-    PropertyNode* createProperty(ExpressionNode* node, PropertyNode::Type type, PropertyNode::PutType putType, bool, SuperBinding superBinding, bool isClassProperty)
-    {
-        return new (m_parserArena) PropertyNode(node, type, putType, superBinding, isClassProperty);
-    }
     PropertyNode* createProperty(VM* vm, ParserArena& parserArena, double propertyName, ExpressionNode* node, PropertyNode::Type type, PropertyNode::PutType putType, bool, SuperBinding superBinding, bool isClassProperty)
     {
@@ -956 +945 @@
     void appendObjectPatternEntry(ObjectPattern node, const JSTokenLocation& location, bool wasString, const Identifier& identifier, DestructuringPattern pattern, ExpressionNode* defaultValue)
     {
-        node->appendEntry(location, identifier, wasString, pattern, defaultValue, ObjectPatternNode::BindingType::Element);
+        node->appendEntry(location, identifier, wasString, pattern, defaultValue);
         tryInferNameInPattern(pattern, defaultValue);
     }
@@ -962 +951 @@
     void appendObjectPatternEntry(ObjectPattern node, const JSTokenLocation& location, ExpressionNode* propertyExpression, DestructuringPattern pattern, ExpressionNode* defaultValue)
     {
-        node->appendEntry(location, propertyExpression, pattern, defaultValue, ObjectPatternNode::BindingType::Element);
+        node->appendEntry(location, propertyExpression, pattern, defaultValue);
         tryInferNameInPattern(pattern, defaultValue);
-    }
-    
-    void appendObjectPatternRestEntry(ObjectPattern node, const JSTokenLocation& location, DestructuringPattern pattern)
-    {
-        node->appendEntry(location, nullptr, pattern, nullptr, ObjectPatternNode::BindingType::RestElement);
-    }
-
-    void setContainsObjectRestElement(ObjectPattern node, bool containsRestElement)
-    {
-        node->setContainsRestElement(containsRestElement);
     }
 

trunk/Source/JavaScriptCore/parser/NodeConstructors.h

@@ -235 +235 @@
     {
     }
-    
-    inline PropertyNode::PropertyNode(ExpressionNode* assign, Type type, PutType putType, SuperBinding superBinding, bool isClassProperty)
-        : m_name(nullptr)
-        , m_assign(assign)
-        , m_type(type)
-        , m_needsSuperBinding(superBinding == SuperBinding::Needed)
-        , m_putType(putType)
-        , m_isClassProperty(isClassProperty)
-    {
-    }
 
     inline PropertyNode::PropertyNode(ExpressionNode* name, ExpressionNode* assign, Type type, PutType putType, SuperBinding superBinding, bool isClassProperty)
-        : m_name(nullptr)
+        : m_name(0)
         , m_expression(name)
         , m_assign(assign)
@@ -301 +291 @@
     
     inline SpreadExpressionNode::SpreadExpressionNode(const JSTokenLocation& location, ExpressionNode* expression)
-        : ExpressionNode(location)
-        , m_expression(expression)
-    {
-    }
-    
-    inline ObjectSpreadExpressionNode::ObjectSpreadExpressionNode(const JSTokenLocation& location, ExpressionNode* expression)
         : ExpressionNode(location)
         , m_expression(expression)

trunk/Source/JavaScriptCore/parser/Nodes.h

@@ -647 +647 @@
     class PropertyNode : public ParserArenaFreeable {
     public:
-        enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8, Shorthand = 16, Spread = 32 };
+        enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8, Shorthand = 16 };
         enum PutType { Unknown, KnownDirect };
 
         PropertyNode(const Identifier&, ExpressionNode*, Type, PutType, SuperBinding, bool isClassProperty);
-        PropertyNode(ExpressionNode*, Type, PutType, SuperBinding, bool isClassProperty);
         PropertyNode(ExpressionNode* propertyName, ExpressionNode*, Type, PutType, SuperBinding, bool isClassProperty);
 
@@ -667 +666 @@
         ExpressionNode* m_expression;
         ExpressionNode* m_assign;
-        unsigned m_type : 6;
+        unsigned m_type : 5;
         unsigned m_needsSuperBinding : 1;
         unsigned m_putType : 1;
@@ -747 +746 @@
         
         bool isSpreadExpression() const override { return true; }
-        ExpressionNode* m_expression;
-    };
-    
-    class ObjectSpreadExpressionNode : public ExpressionNode, public ThrowableExpressionData {
-    public:
-        ObjectSpreadExpressionNode(const JSTokenLocation&, ExpressionNode*);
-        
-        ExpressionNode* expression() const { return m_expression; }
-        
-    private:
-        RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
-        
         ExpressionNode* m_expression;
     };
@@ -2128 +2115 @@
     };
     
-    class ObjectPatternNode : public DestructuringPatternNode, public ThrowableExpressionData, public ParserArenaDeletable {
+    class ObjectPatternNode : public DestructuringPatternNode, public ParserArenaDeletable {
     public:
         using ParserArenaDeletable::operator new;
         
         ObjectPatternNode();
-        enum class BindingType {
-            Element,
-            RestElement
-        };
-        void appendEntry(const JSTokenLocation&, const Identifier& identifier, bool wasString, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
+        void appendEntry(const JSTokenLocation&, const Identifier& identifier, bool wasString, DestructuringPatternNode* pattern, ExpressionNode* defaultValue)
         {
-            m_targetPatterns.append(Entry{ identifier, nullptr, wasString, pattern, defaultValue, bindingType });
+            m_targetPatterns.append(Entry { identifier, nullptr, wasString, pattern, defaultValue });
         }
 
-        void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
+        void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue)
         {
-            m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
-        }
-        
-        void setContainsRestElement(bool containsRestElement)
-        {
-            m_containsRestElement = containsRestElement;
+            m_targetPatterns.append(Entry { Identifier(), propertyExpression, false, pattern, defaultValue });
         }
 
@@ -2162 +2140 @@
             DestructuringPatternNode* pattern;
             ExpressionNode* defaultValue;
-            BindingType bindingType;
         };
-        bool m_containsRestElement { false };
         Vector<Entry> m_targetPatterns;
     };

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -1014 +1014 @@
             *hasDestructuringPattern = true;
 
-        bool restElementWasFound = false;
-
         do {
             bool wasString = false;
@@ -1021 +1019 @@
             if (match(CLOSEBRACE))
                 break;
-
-            if (UNLIKELY(match(DOTDOTDOT))) {
-                JSTokenLocation location = m_token.m_location;
-                next();
-                auto innerPattern = parseBindingOrAssignmentElement(context, kind, exportType, duplicateIdentifier, hasDestructuringPattern, bindingContext, depth + 1);
-                if (kind == DestructuringKind::DestructureToExpressions && !innerPattern)
-                    return 0;
-                propagateError();
-                context.appendObjectPatternRestEntry(objectPattern, location, innerPattern);
-                restElementWasFound = true;
-                context.setContainsObjectRestElement(objectPattern, restElementWasFound);
-                break;
-            }
 
             const Identifier* propertyName = nullptr;
@@ -1109 +1094 @@
         if (kind == DestructuringKind::DestructureToExpressions && !match(CLOSEBRACE))
             return 0;
-        consumeOrFail(CLOSEBRACE, restElementWasFound ? "Expected a closing '}' following a rest element destructuring pattern" : "Expected either a closing '}' or an ',' after a property destructuring pattern");
+        consumeOrFail(CLOSEBRACE, "Expected either a closing '}' or an ',' after a property destructuring pattern");
         pattern = objectPattern;
         break;
@@ -3805 +3790 @@
         return context.createProperty(propertyName, node, static_cast<PropertyNode::Type>(PropertyNode::Constant | PropertyNode::Computed), PropertyNode::Unknown, complete, SuperBinding::NotNeeded, isClassProperty);
     }
-    case DOTDOTDOT: {
-        auto spreadLocation = m_token.m_location;
-        auto start = m_token.m_startPosition;
-        auto divot = m_token.m_endPosition;
-        next();
-        TreeExpression elem = parseAssignmentExpressionOrPropagateErrorClass(context);
-        failIfFalse(elem, "Cannot parse subject of a spread operation");
-        auto node = context.createObjectSpreadExpression(spreadLocation, elem, start, divot, m_lastTokenEndPosition);
-        return context.createProperty(node, PropertyNode::Spread, PropertyNode::Unknown, complete, SuperBinding::NotNeeded, isClassProperty);
-    }
     default:
         failIfFalse(m_token.m_type & KeywordTokenFlag, "Expected a property name");

trunk/Source/JavaScriptCore/parser/SyntaxChecker.h

@@ -77 +77 @@
         DeleteExpr, ArrayLiteralExpr, BindingDestructuring, RestParameter,
         ArrayDestructuring, ObjectDestructuring, SourceElementsResult,
-        FunctionBodyResult, SpreadExpr, ObjectSpreadExpr, ArgumentsResult,
+        FunctionBodyResult, SpreadExpr, ArgumentsResult,
         PropertyListResult, ArgumentsListResult, ElementsListResult,
         StatementResult, FormalParameterListResult, ClauseResult,
@@ -195 +195 @@
     int createArguments(int) { return ArgumentsResult; }
     ExpressionType createSpreadExpression(const JSTokenLocation&, ExpressionType, int, int, int) { return SpreadExpr; }
-    ExpressionType createObjectSpreadExpression(const JSTokenLocation&, ExpressionType, int, int, int) { return ObjectSpreadExpr; }
     TemplateString createTemplateString(const JSTokenLocation&, const Identifier*, const Identifier*) { return TemplateStringResult; }
     TemplateStringList createTemplateStringList(TemplateString) { return TemplateStringListResult; }
@@ -213 +212 @@
         ASSERT(name);
         return Property(name, type);
-    }
-    Property createProperty(int, PropertyNode::Type type, PropertyNode::PutType, bool, SuperBinding, bool)
-    {
-        return Property(type);
     }
     Property createProperty(VM* vm, ParserArena& parserArena, double name, int, PropertyNode::Type type, PropertyNode::PutType, bool complete, SuperBinding, bool)
@@ -358 +353 @@
     {
     }
-    void appendObjectPatternRestEntry(ObjectPattern, const JSTokenLocation&, DestructuringPattern)
-    {
-    }
-    void setContainsObjectRestElement(ObjectPattern, bool)
-    {
-    }
 
     DestructuringPattern createBindingLocation(const JSTokenLocation&, const Identifier&, const JSTextPosition&, const JSTextPosition&, AssignmentContext)

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -105 +105 @@
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getPrototypeOfPrivateName(), objectConstructorGetPrototypeOf, DontEnum, 1);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getOwnPropertyNamesPrivateName(), objectConstructorGetOwnPropertyNames, DontEnum, 1);
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getOwnPropertyDescriptorPrivateName(), objectConstructorGetOwnPropertyDescriptor, DontEnum, 1);
 }
 

trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp

@@ -68 +68 @@
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->deleteKeyword, setProtoFuncDelete, DontEnum, 1);
     JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, setProtoFuncHas, DontEnum, 1, JSSetHasIntrinsic);
-    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().hasPrivateName(), setProtoFuncHas, DontEnum, 1, JSSetHasIntrinsic);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().entriesPublicName(), setProtoFuncEntries, DontEnum, 0);
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2017-05-15  Mark Lam  <mark.lam@apple.com>
+
+        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
+        https://bugs.webkit.org/show_bug.cgi?id=172147
+
+        Rubber-stamped by Saam Barati.
+
+        * wtf/HashSet.h:
+        (WTF::=):
+
 2017-05-14  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WTF/wtf/HashSet.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2005, 2006, 2007, 2008, 2011, 2013, 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2005, 2006, 2007, 2008, 2011, 2013 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -124 +124 @@
         template<typename OtherCollection>
         bool operator==(const OtherCollection&) const;
-        
-        template<typename OtherCollection>
-        bool operator!=(const OtherCollection&) const;
 
     private:
@@ -381 +378 @@
         return true;
     }
-    
-    template<typename T, typename U, typename V>
-    template<typename OtherCollection>
-    inline bool HashSet<T, U, V>::operator!=(const OtherCollection& otherCollection) const
-    {
-        return !(*this == otherCollection);
-    }
 
 } // namespace WTF