Changeset 47062 in webkit

Timestamp:

Aug 11, 2009 2:30:11 PM (15 years ago)

Author:

oliver@apple.com

Message:

REGRESSION: Hang/crash in BytecodeGenerator::constRegisterFor loading simple page
​https://bugs.webkit.org/show_bug.cgi?id=28169

Reviewed by Geoff Garen.

Handle the case where someone has attempted to shadow a property
on the global object with a constant.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• JavaScriptCore/parser/Nodes.cpp (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/const-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/const.html (modified) (1 diff)
• LayoutTests/fast/js/resources/const.js (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-08-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        REGRESSION: Hang/crash in BytecodeGenerator::constRegisterFor loading simple page
+        https://bugs.webkit.org/show_bug.cgi?id=28169
+
+        Handle the case where someone has attempted to shadow a property
+        on the global object with a constant.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::constRegisterFor):
+        * parser/Nodes.cpp:
+        (JSC::ConstDeclNode::emitCodeSingle):
+
 2009-08-11  John Gregg  <johnnyg@google.com>
 

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -471 +471 @@
 
     SymbolTableEntry entry = symbolTable().get(ident.ustring().rep());
-    ASSERT(!entry.isNull());
+    if (entry.isNull())
+        return 0;
 
     return &registerFor(entry.getIndex());

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -1206 +1206 @@
         return generator.emitNode(local, m_init);
     }
-    
+
+    if (generator.codeType() != EvalCode) {
+        if (m_init)
+            return generator.emitNode(m_init);
+        else
+            return generator.emitResolve(generator.newTemporary(), m_ident);
+    }
     // FIXME: While this code should only be hit in eval code, it will potentially
     // assign to the wrong base if m_ident exists in an intervening dynamic scope.

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-08-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        REGRESSION: Hang/crash in BytecodeGenerator::constRegisterFor loading simple page
+        https://bugs.webkit.org/show_bug.cgi?id=28169
+
+        Ensure that const declarations work correctly when attempting to shadow a
+        property on the global object.
+
+        * fast/js/const-expected.txt:
+        * fast/js/const.html:
+        * fast/js/resources/const.js:
+
 2009-08-11  John Gregg  <johnnyg@google.com>
 

trunk/LayoutTests/fast/js/const-expected.txt

@@ -50 +50 @@
 PASS f() is f
 PASS const a; is undefined
+PASS bodyId is document.getElementById('bodyId')
+PASS ranConstInitialiser is true
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/const.html

@@ -5 +5 @@
 <script src="resources/js-test-pre.js"></script>
 </head>
-<body>
+<body id="bodyId">
 <p id="description"></p>
 <div id="console"></div>

trunk/LayoutTests/fast/js/resources/const.js

@@ -113 +113 @@
 shouldBe("const a;", "undefined");
 
+// Make sure we don't override properties placed on the global object
+var ranConstInitialiser = false;
+const bodyId = (ranConstInitialiser = true, "Const initialiser overwrote existing property");
+shouldBe("bodyId", "document.getElementById('bodyId')");
+shouldBeTrue("ranConstInitialiser");
 var successfullyParsed = true;