Changeset 282968 in webkit

Timestamp:

Sep 23, 2021 10:24:52 AM (10 months ago)

Author:

Ross Kirsling

Message:

[JSC] Handle syntactic production for #x in expr correctly
​https://bugs.webkit.org/show_bug.cgi?id=230668

Reviewed by Yusuke Suzuki.

JSTests:

• stress/private-in.js: Add tests.
• test262/expectations.yaml: Mark two test cases as passing.

Source/JavaScriptCore:

The production for #x in expr is easy to get wrong.

RelationalExpression[In, Yield, Await] :

ShiftExpression?Await
RelationalExpression?Yield, ?Await < ShiftExpression?Await
RelationalExpression?Yield, ?Await > ShiftExpression?Await
RelationalExpression?Yield, ?Await <= ShiftExpression?Await
RelationalExpression?Yield, ?Await >= ShiftExpression?Await
RelationalExpression?Yield, ?Await instanceof ShiftExpression?Await
[+In] RelationalExpression[+In, ?Yield, ?Await] in ShiftExpression?Await
[+In] PrivateIdentifier in ShiftExpression?Await

We were ensuring that a standalone private name #x is always followed by operator in;
this patch further ensures that that particular in can't have its LHS misparsed as a RelationalExpression.

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseBinaryExpression):
Verify the precedence of the topmost operator on the stack (if any) when parsing standalone #x.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/private-in.js (modified) (2 diffs)
• JSTests/test262/expectations.yaml (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-09-23  Ross Kirsling  <ross.kirsling@sony.com>
+
+        [JSC] Handle syntactic production for `#x in expr` correctly
+        https://bugs.webkit.org/show_bug.cgi?id=230668
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/private-in.js: Add tests.
+        * test262/expectations.yaml: Mark two test cases as passing.
+
 2021-09-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/stress/private-in.js

@@ -1 +1 @@
 function assert(b) {
   if (!b) throw new Error;
+}
+
+function shouldNotThrow(script) {
+    eval(script);
+}
+
+function shouldThrowSyntaxError(script) {
+    let error;
+    try {
+        eval(script);
+    } catch (e) {
+        error = e;
+    }
+
+    if (!(error instanceof SyntaxError))
+        throw new Error('Expected SyntaxError!');
 }
 
@@ -60 +76 @@
 for (let i = 0; i < 10000; i++)
   test();
+
+shouldNotThrow(() => { class C { #x; f() { 0 == #x in {}; } } });
+shouldNotThrow(() => { class C { #x; f() { 0 != #x in {}; } } });
+shouldNotThrow(() => { class C { #x; f() { 0 === #x in {}; } } });
+shouldNotThrow(() => { class C { #x; f() { 0 !== #x in {}; } } });
+shouldThrowSyntaxError('class C { #x; f() { 0 < #x in {}; } }');
+shouldThrowSyntaxError('class C { #x; f() { 0 > #x in {}; } }');
+shouldThrowSyntaxError('class C { #x; f() { 0 <= #x in {}; } }');
+shouldThrowSyntaxError('class C { #x; f() { 0 >= #x in {}; } }');
+shouldThrowSyntaxError('class C { #x; f() { 0 instanceof #x in {}; } }');
+shouldThrowSyntaxError('class C { #x; f() { 0 in #x in {}; } }');

trunk/JSTests/test262/expectations.yaml

@@ -1596 +1596 @@
 test/language/expressions/generators/scope-param-rest-elem-var-open.js:
   default: 'Test262Error: Expected SameValue(«outside», «inside») to be true'
-test/language/expressions/in/private-field-in-nested.js:
-  default: 'Test262: This statement should not be evaluated.'
-  strict mode: 'Test262: This statement should not be evaluated.'
 test/language/expressions/instanceof/prototype-getter-with-primitive.js:
   default: "Test262Error: getter for 'prototype' called"

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-09-23  Ross Kirsling  <ross.kirsling@sony.com>
+
+        [JSC] Handle syntactic production for `#x in expr` correctly
+        https://bugs.webkit.org/show_bug.cgi?id=230668
+
+        Reviewed by Yusuke Suzuki.
+
+        The production for `#x in expr` is easy to get wrong.
+
+            RelationalExpression[In, Yield, Await] :
+                ShiftExpression[?Yield, ?Await]
+                RelationalExpression[?In, ?Yield, ?Await] < ShiftExpression[?Yield, ?Await]
+                RelationalExpression[?In, ?Yield, ?Await] > ShiftExpression[?Yield, ?Await]
+                RelationalExpression[?In, ?Yield, ?Await] <= ShiftExpression[?Yield, ?Await]
+                RelationalExpression[?In, ?Yield, ?Await] >= ShiftExpression[?Yield, ?Await]
+                RelationalExpression[?In, ?Yield, ?Await] instanceof ShiftExpression[?Yield, ?Await]
+                [+In] RelationalExpression[+In, ?Yield, ?Await] in ShiftExpression[?Yield, ?Await]
+                [+In] PrivateIdentifier in ShiftExpression[?Yield, ?Await]
+
+        We were ensuring that a standalone private name `#x` is always followed by operator `in`;
+        this patch further ensures that that particular `in` can't have its LHS misparsed as a RelationalExpression.
+
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseBinaryExpression):
+        Verify the precedence of the topmost operator on the stack (if any) when parsing standalone `#x`.
+
 2021-09-22  Mikhail R. Gadelha  <mikhail@igalia.com>
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -4239 +4239 @@
     bool hasCoalesceOperator = false;
 
+    int previousOperator = 0;
     while (true) {
         JSTextPosition exprStart = tokenStartPosition();
@@ -4251 +4252 @@
             m_seenPrivateNameUseInNonReparsingFunctionMode = true;
             next();
-            semanticFailIfTrue(m_token.m_type != INTOKEN, "Bare private name can only be used as the left-hand side of an `in` expression");
+            semanticFailIfTrue(m_token.m_type != INTOKEN || previousOperator >= INTOKEN, "Bare private name can only be used as the left-hand side of an `in` expression");
             current = context.createPrivateIdentifierNode(location, *ident);
         } else
@@ -4308 +4309 @@
         }
         context.operatorStackAppend(operatorStackDepth, operatorToken, precedence);
+        previousOperator = operatorToken;
     }
     while (operatorStackDepth) {