Changeset 78727 in webkit

Timestamp:

Feb 16, 2011 11:31:16 AM (13 years ago)

Author:

oliver@apple.com

Message:

2011-02-16 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoff Garen.

Incorrect handling of global writes in dynamic contexts
​https://bugs.webkit.org/show_bug.cgi?id=49383

Add a few tests to ensure that global writes are actually
allowed inside dynamic scopes.

• fast/js/basic-strict-mode-expected.txt:
• fast/js/script-tests/basic-strict-mode.js:

2011-02-16 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoff Garen.

Incorrect handling of global writes in dynamic contexts
​https://bugs.webkit.org/show_bug.cgi?id=49383

• interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): Can't use the existing callframe to return an uncaught exception as by definition that callframe has already been torn down.
• parser/ASTBuilder.h: (JSC::ASTBuilder::ASTBuilder): (JSC::ASTBuilder::varDeclarations): (JSC::ASTBuilder::funcDeclarations): (JSC::ASTBuilder::features): (JSC::ASTBuilder::numConstants): (JSC::ASTBuilder::createFuncDeclStatement): (JSC::ASTBuilder::addVar): (JSC::ASTBuilder::incConstants): (JSC::ASTBuilder::usesThis): (JSC::ASTBuilder::usesCatch): (JSC::ASTBuilder::usesClosures): (JSC::ASTBuilder::usesArguments): (JSC::ASTBuilder::usesAssignment): (JSC::ASTBuilder::usesWith): (JSC::ASTBuilder::usesEval): Don't need a vector of scopes in the ASTBuilder
• runtime/Operations.h: (JSC::resolveBase): In strict mode the optimisation that we use to skip a lookup on the global object is incorrect and lead to us always disallowing global writes when we needed to do a dynamic slot lookup. Now the strict mode path actually checks for the property.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/basic-strict-mode-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/script-tests/basic-strict-mode.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (2 diffs)
• Source/JavaScriptCore/parser/ASTBuilder.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/Operations.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-02-16  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        Incorrect handling of global writes in dynamic contexts
+        https://bugs.webkit.org/show_bug.cgi?id=49383
+
+        Add a few tests to ensure that global writes are actually
+        allowed inside dynamic scopes.
+
+        * fast/js/basic-strict-mode-expected.txt:
+        * fast/js/script-tests/basic-strict-mode.js:
+
 2011-02-16  Nikolas Zimmermann  <nzimmermann@rim.com>
 

trunk/LayoutTests/fast/js/basic-strict-mode-expected.txt

@@ -193 +193 @@
 PASS 'use strict';var a=(arguments=1); threw exception SyntaxError: Parse error.
 PASS (function(){'use strict';var a=(arguments=1);}) threw exception SyntaxError: Parse error.
+PASS 'use strict'; try { throw 1; } catch (e) { aGlobal = true; } is true
+PASS 'use strict'; (function () { try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal; is true
+PASS (function () {'use strict';  try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal; is true
+PASS try { throw 1; } catch (e) { aGlobal = true; } is true
+PASS (function () { try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal; is true
+PASS (function () {try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal; is true
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/script-tests/basic-strict-mode.js

@@ -172 +172 @@
 shouldBeSyntaxError("'use strict';var a=(eval=1);");
 shouldBeSyntaxError("'use strict';var a=(arguments=1);");
+
+var aGlobal = false;
+shouldBeTrue("'use strict'; try { throw 1; } catch (e) { aGlobal = true; }");
+aGlobal = false;
+shouldBeTrue("'use strict'; (function () { try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal;");
+aGlobal = false;
+shouldBeTrue("(function () {'use strict';  try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal;");
+aGlobal = false;
+shouldBeTrue("try { throw 1; } catch (e) { aGlobal = true; }");
+aGlobal = false;
+shouldBeTrue("(function () { try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal;");
+aGlobal = false;
+shouldBeTrue("(function () {try { throw 1; } catch (e) { aGlobal = true; }})(); aGlobal;");
+
 var successfullyParsed = true;

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-02-16  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        Incorrect handling of global writes in dynamic contexts
+        https://bugs.webkit.org/show_bug.cgi?id=49383
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+          Can't use the existing callframe to return an uncaught exception
+          as by definition that callframe has already been torn down.
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::ASTBuilder):
+        (JSC::ASTBuilder::varDeclarations):
+        (JSC::ASTBuilder::funcDeclarations):
+        (JSC::ASTBuilder::features):
+        (JSC::ASTBuilder::numConstants):
+        (JSC::ASTBuilder::createFuncDeclStatement):
+        (JSC::ASTBuilder::addVar):
+        (JSC::ASTBuilder::incConstants):
+        (JSC::ASTBuilder::usesThis):
+        (JSC::ASTBuilder::usesCatch):
+        (JSC::ASTBuilder::usesClosures):
+        (JSC::ASTBuilder::usesArguments):
+        (JSC::ASTBuilder::usesAssignment):
+        (JSC::ASTBuilder::usesWith):
+        (JSC::ASTBuilder::usesEval):
+          Don't need a vector of scopes in the ASTBuilder
+        * runtime/Operations.h:
+        (JSC::resolveBase):
+          In strict mode the optimisation that we use to skip a lookup
+          on the global object is incorrect and lead to us always
+          disallowing global writes when we needed to do a dynamic slot
+          lookup.  Now the strict mode path actually checks for the
+          property.
+
 2011-02-15  Jon Honeycutt  <jhoneycutt@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -2450 +2450 @@
     }
     DEFINE_OPCODE(op_resolve_base) {
-        /* resolve_base dst(r) property(id)
+        /* resolve_base dst(r) property(id) isStrict(bool)
 
            Searches the scope chain for an object containing
            identifier property, and if one is found, writes it to
-           register dst. If none is found, the outermost scope (which
-           will be the global object) is stored in register dst.
+           register dst. If none is found and isStrict is false, the
+           outermost scope (which will be the global object) is
+           stored in register dst.
         */
         resolveBase(callFrame, vPC);
+        CHECK_FOR_EXCEPTION();
 
         vPC += OPCODE_LENGTH(op_resolve_base);
@@ -4777 +4779 @@
             exceptionValue = createInterruptedExecutionException(globalData);
         }
+        JSGlobalObject* globalObject = callFrame->lexicalGlobalObject();
         handler = throwException(callFrame, exceptionValue, vPC - codeBlock->instructions().begin());
-        if (!handler)
-            return throwError(callFrame, exceptionValue);
+        if (!handler) {
+            // Can't use the callframe at this point as the scopechain, etc have
+            // been released.
+            return throwError(globalObject->globalExec(), exceptionValue);
+        }
 
         codeBlock = callFrame->codeBlock();

trunk/Source/JavaScriptCore/parser/ASTBuilder.h

@@ -77 +77 @@
         : m_globalData(globalData)
         , m_lexer(lexer)
+        , m_scope(globalData)
         , m_evalCount(0)
     {
-        m_scopes.append(Scope(globalData));
     }
     
@@ -116 +116 @@
     JSC::SourceElements* createSourceElements() { return new (m_globalData) JSC::SourceElements(m_globalData); }
 
-    ParserArenaData<DeclarationStacks::VarStack>* varDeclarations() { return m_scopes.last().m_varDeclarations; }
-    ParserArenaData<DeclarationStacks::FunctionStack>* funcDeclarations() { return m_scopes.last().m_funcDeclarations; }
-    int features() const { return m_scopes.last().m_features; }
-    int numConstants() const { return m_scopes.last().m_numConstants; }
+    ParserArenaData<DeclarationStacks::VarStack>* varDeclarations() { return m_scope.m_varDeclarations; }
+    ParserArenaData<DeclarationStacks::FunctionStack>* funcDeclarations() { return m_scope.m_funcDeclarations; }
+    int features() const { return m_scope.m_features; }
+    int numConstants() const { return m_scope.m_numConstants; }
 
     void appendToComma(CommaNode* commaNode, ExpressionNode* expr) { commaNode->append(expr); }
@@ -301 +301 @@
         if (*name == m_globalData->propertyNames->arguments)
             usesArguments();
-        m_scopes.last().m_funcDeclarations->data.append(decl->body());
+        m_scope.m_funcDeclarations->data.append(decl->body());
         body->setLoc(bodyStartLine, bodyEndLine);
         return decl;
@@ -495 +495 @@
         if (m_globalData->propertyNames->arguments == *ident)
             usesArguments();
-        m_scopes.last().m_varDeclarations->data.append(std::make_pair(ident, attrs));
+        m_scope.m_varDeclarations->data.append(std::make_pair(ident, attrs));
     }
 
@@ -612 +612 @@
     }
 
-    void incConstants() { m_scopes.last().m_numConstants++; }
-    void usesThis() { m_scopes.last().m_features |= ThisFeature; }
-    void usesCatch() { m_scopes.last().m_features |= CatchFeature; }
-    void usesClosures() { m_scopes.last().m_features |= ClosureFeature; }
-    void usesArguments() { m_scopes.last().m_features |= ArgumentsFeature; }
-    void usesAssignment() { m_scopes.last().m_features |= AssignFeature; }
-    void usesWith() { m_scopes.last().m_features |= WithFeature; }
+    void incConstants() { m_scope.m_numConstants++; }
+    void usesThis() { m_scope.m_features |= ThisFeature; }
+    void usesCatch() { m_scope.m_features |= CatchFeature; }
+    void usesClosures() { m_scope.m_features |= ClosureFeature; }
+    void usesArguments() { m_scope.m_features |= ArgumentsFeature; }
+    void usesAssignment() { m_scope.m_features |= AssignFeature; }
+    void usesWith() { m_scope.m_features |= WithFeature; }
     void usesEval() 
     {
         m_evalCount++;
-        m_scopes.last().m_features |= EvalFeature;
+        m_scope.m_features |= EvalFeature;
     }
     ExpressionNode* createNumber(double d)
@@ -631 +631 @@
     JSGlobalData* m_globalData;
     Lexer* m_lexer;
-    Vector<Scope> m_scopes;
+    Scope m_scope;
     Vector<BinaryOperand, 10> m_binaryOperandStack;
     Vector<AssignmentInfo, 10> m_assignmentInfoStack;

trunk/Source/JavaScriptCore/runtime/Operations.h

@@ -473 +473 @@
         while (true) {
             base = iter->get();
-            if (next == end)
-                return isStrictPut ? JSValue() : base;
+            if (next == end) {
+                if (isStrictPut && !base->getPropertySlot(callFrame, property, slot))
+                    return JSValue();
+                return base;
+            }
             if (base->getPropertySlot(callFrame, property, slot))
                 return base;