[webkit-changes] [WebKit/WebKit] 8f6b20: [JSC] Redeclaring parameter of a generator / async...

Commit Queue noreply at github.com
Thu Jan 4 18:40:34 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8f6b2012d16c22469a4ebff6badf4756dbc824e6
      https://github.com/WebKit/WebKit/commit/8f6b2012d16c22469a4ebff6badf4756dbc824e6
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2024-01-04 (Thu, 04 Jan 2024)

  Changed paths:
    A JSTests/stress/regress-223533.js
    M Source/JavaScriptCore/builtins/BuiltinExecutables.cpp
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/runtime/CachedTypes.cpp
    M Source/JavaScriptCore/runtime/CodeCache.cpp

  Log Message:
  -----------
  [JSC] Redeclaring parameter of a generator / async function makes it `undefined`
https://bugs.webkit.org/show_bug.cgi?id=223533
<rdar://problem/75899149>

Reviewed by Yusuke Suzuki.

Since under the hood, a generator / async function is implemented using two functions (wrapper and body),
parameter redeclaration with `var` requires special care.

Given the bytecode for a generator / async body function is generated with the result of reparsing,
we can't consult parent scope in parser and detect which declarations shadow parameters of the wrapper
function, hence the only way to pass that information is via bytecode generator, in rare data
of UnlinkedFunctionExecutable.

This patch prevents createVariable() from being called on `var` declarations that would otherwise
erroneously shadow generator / async wrapper function parameters, downgrading them to VarKind::Invalid
and emitting extra get_from_scope / resolve_scope ops as if `var foo;` declarations were missing.

It's sensible and safe as long as Annex B function hoisting [1] is aligned and shadowed generator /
async wrapper function parameters are marked as captured (done conservatively for all parameters).

Fixes long-standing bug that resulted in Safari breaking on minified code produced by UglifyJS
in default configuration [2].

[1]: https://tc39.es/ecma262/#sec-web-compat-functiondeclarationinstantiation (step 29.a.ii)
[2]: https://github.com/mishoo/UglifyJS/issues/5032

* JSTests/stress/regress-223533.js: Added.
* Source/JavaScriptCore/builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
(JSC::BytecodeGenerator::getParameterNames const):
(JSC::BytecodeGenerator::emitNewClassFieldInitializerFunction):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::makeFunction):
* Source/JavaScriptCore/runtime/CachedTypes.cpp:
(JSC::CachedFunctionExecutableRareData::encode):
(JSC::CachedFunctionExecutableRareData::decode const):
* Source/JavaScriptCore/runtime/CodeCache.cpp:
(JSC::generateUnlinkedCodeBlockImpl):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):

Canonical link: https://commits.webkit.org/272666@main

More information about the webkit-changes mailing list