<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[202778] trunk/Source</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/202778">202778</a></dd>

<dt>Author</dt> <dd>fpizlo@apple.com</dd>

<dt>Date</dt> <dd>2016-07-02 10:43:56 -0700 (Sat, 02 Jul 2016)</dd>

</dl>

<h3>Log Message</h3>

<pre>Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope

https://bugs.webkit.org/show_bug.cgi?id=159332

rdar://problem/27018958

Reviewed by Saam Barati.

This fixes an instacrash in this code:

    try{}catch(e){}print(e);let e;

We lift TDZ for &quot;e&quot; in &quot;catch (e){}&quot;, but since that scope doesn't push anything onto the

TDZ stack, we lift TDZ from &quot;let e&quot;.

The problem is that we weren't tracking the set of variables that do not have TDZ. We need

to track them to &quot;block&quot; the traversal that lifts TDZ. This change fixes this issue by

using a map that tracks all known variables, and tells you if they are under TDZ or not.

* bytecode/CodeBlock.h:

(JSC::CodeBlock::numParameters):

* bytecode/CodeOrigin.h:

* bytecompiler/BytecodeGenerator.cpp:

(JSC::Label::setLocation):

(JSC::Variable::dump):

(JSC::BytecodeGenerator::generate):

(JSC::BytecodeGenerator::BytecodeGenerator):

(JSC::BytecodeGenerator::pushLexicalScopeInternal):

(JSC::BytecodeGenerator::popLexicalScope):

(JSC::BytecodeGenerator::popLexicalScopeInternal):

(JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):

(JSC::BytecodeGenerator::variable):

(JSC::BytecodeGenerator::needsTDZCheck):

(JSC::BytecodeGenerator::liftTDZCheckIfPossible):

(JSC::BytecodeGenerator::pushTDZVariables):

(JSC::BytecodeGenerator::getVariablesUnderTDZ):

(JSC::BytecodeGenerator::endGenerator):

(WTF::printInternal):

* bytecompiler/BytecodeGenerator.h:

(JSC::Variable::isConst):

(JSC::Variable::setIsReadOnly):

* interpreter/CallFrame.h:

(JSC::ExecState::topOfFrame):

* tests/stress/lift-tdz-bypass-catch.js: Added.

(foo):

(catch):</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockh">trunk/Source/JavaScriptCore/bytecode/CodeBlock.h</a></li>

<li><a href="#trunkSourceJavaScriptCorebytecodeCodeOriginh">trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h</a></li>

<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>

<li><a href="#trunkSourceJavaScriptCoreinterpreterCallFrameh">trunk/Source/JavaScriptCore/interpreter/CallFrame.h</a></li>

<li><a href="#trunkSourceWTFbenchmarksLockFairnessTestcpp">trunk/Source/WTF/benchmarks/LockFairnessTest.cpp</a></li>

</ul>

<h3>Added Paths</h3>

<ul>

<li><a href="#trunkSourceJavaScriptCoretestsstresslifttdzbypasscatchjs">trunk/Source/JavaScriptCore/tests/stress/lift-tdz-bypass-catch.js</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="trunkSourceJavaScriptCoreChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/ChangeLog        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -1,3 +1,50 @@

</span><ins>+2016-06-30  Filip Pizlo  &lt;fpizlo@apple.com&gt;

+

+        Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope

+        https://bugs.webkit.org/show_bug.cgi?id=159332

+        rdar://problem/27018958

+

+        Reviewed by Saam Barati.

+        

+        This fixes an instacrash in this code:

+        

+            try{}catch(e){}print(e);let e;

+        

+        We lift TDZ for &quot;e&quot; in &quot;catch (e){}&quot;, but since that scope doesn't push anything onto the

+        TDZ stack, we lift TDZ from &quot;let e&quot;.

+        

+        The problem is that we weren't tracking the set of variables that do not have TDZ. We need

+        to track them to &quot;block&quot; the traversal that lifts TDZ. This change fixes this issue by

+        using a map that tracks all known variables, and tells you if they are under TDZ or not.

+

+        * bytecode/CodeBlock.h:

+        (JSC::CodeBlock::numParameters):

+        * bytecode/CodeOrigin.h:

+        * bytecompiler/BytecodeGenerator.cpp:

+        (JSC::Label::setLocation):

+        (JSC::Variable::dump):

+        (JSC::BytecodeGenerator::generate):

+        (JSC::BytecodeGenerator::BytecodeGenerator):

+        (JSC::BytecodeGenerator::pushLexicalScopeInternal):

+        (JSC::BytecodeGenerator::popLexicalScope):

+        (JSC::BytecodeGenerator::popLexicalScopeInternal):

+        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):

+        (JSC::BytecodeGenerator::variable):

+        (JSC::BytecodeGenerator::needsTDZCheck):

+        (JSC::BytecodeGenerator::liftTDZCheckIfPossible):

+        (JSC::BytecodeGenerator::pushTDZVariables):

+        (JSC::BytecodeGenerator::getVariablesUnderTDZ):

+        (JSC::BytecodeGenerator::endGenerator):

+        (WTF::printInternal):

+        * bytecompiler/BytecodeGenerator.h:

+        (JSC::Variable::isConst):

+        (JSC::Variable::setIsReadOnly):

+        * interpreter/CallFrame.h:

+        (JSC::ExecState::topOfFrame):

+        * tests/stress/lift-tdz-bypass-catch.js: Added.

+        (foo):

+        (catch):

+

</ins><span class="cx"> 2016-07-01  Benjamin Poulain  &lt;bpoulain@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         [JSC] RegExp.compile is not returning the regexp when it succeed

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorebytecodeCodeBlockh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.h (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -141,7 +141,7 @@

<span class="cx">     CString sourceCodeForTools() const; // Not quite the actual source we parsed; this will do things like prefix the source for a function with a reified signature.

<span class="cx">     CString sourceCodeOnOneLine() const; // As sourceCodeForTools(), but replaces all whitespace runs with a single space.

</span><span class="cx">     void dumpAssumingJITType(PrintStream&amp;, JITCode::JITType) const;

</span><del>-    void dump(PrintStream&amp;) const;

</del><ins>+    JS_EXPORT_PRIVATE void dump(PrintStream&amp;) const;

</ins><span class="cx"> 

</span><span class="cx">     int numParameters() const { return m_numParameters; }

</span><span class="cx">     void setNumParameters(int newValue);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorebytecodeCodeOriginh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -109,7 +109,7 @@

<span class="cx">     // Get the inline stack. This is slow, and is intended for debugging only.

</span><span class="cx">     Vector&lt;CodeOrigin&gt; inlineStack() const;

</span><span class="cx">     

</span><del>-    void dump(PrintStream&amp;) const;

</del><ins>+    JS_EXPORT_PRIVATE void dump(PrintStream&amp;) const;

</ins><span class="cx">     void dumpInContext(PrintStream&amp;, DumpContext*) const;

</span><span class="cx"> 

</span><span class="cx"> private:

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -45,6 +45,7 @@

</span><span class="cx"> #include &quot;StrongInlines.h&quot;

</span><span class="cx"> #include &quot;UnlinkedCodeBlock.h&quot;

</span><span class="cx"> #include &quot;UnlinkedInstructionStream.h&quot;

</span><ins>+#include &lt;wtf/CommaPrinter.h&gt;

</ins><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;

</span><span class="cx"> #include &lt;wtf/text/WTFString.h&gt;

</span><span class="cx"> 

</span><span class="lines">@@ -61,6 +62,18 @@

</span><span class="cx">         m_generator.instructions()[m_unresolvedJumps[i].second].u.operand = m_location - m_unresolvedJumps[i].first;

</span><span class="cx"> }

</span><span class="cx"> 

</span><ins>+void Variable::dump(PrintStream&amp; out) const

+{

+    out.print(

+        &quot;{ident = &quot;, m_ident,

+        &quot;, offset = &quot;, m_offset,

+        &quot;, local = &quot;, RawPointer(m_local),

+        &quot;, attributes = &quot;, m_attributes,

+        &quot;, kind = &quot;, m_kind,

+        &quot;, symbolTableConstantIndex = &quot;, m_symbolTableConstantIndex,

+        &quot;, isLexicallyScoped = &quot;, m_isLexicallyScoped, &quot;}&quot;);

+}

+

</ins><span class="cx"> ParserError BytecodeGenerator::generate()

</span><span class="cx"> {

</span><span class="cx">     m_codeBlock-&gt;setThisRegister(m_thisRegister.virtualRegister());

</span><span class="lines">@@ -603,7 +616,7 @@

</span><span class="cx"> 

</span><span class="cx">     // All &quot;addVar()&quot;s needs to happen before &quot;initializeDefaultParameterValuesAndSetupFunctionScopeStack()&quot; is called

<span class="cx">     // because a function's default parameter ExpressionNodes will use temporary registers.

</span><del>-    pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize);

</del><ins>+    pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize, TDZRequirement::UnderTDZ);

</ins><span class="cx">     initializeDefaultParameterValuesAndSetupFunctionScopeStack(parameters, isSimpleParameterList, functionNode, functionSymbolTable, symbolTableConstantIndex, captures, shouldCreateArgumentsVariableInParameterScope);

</span><span class="cx">     

</span><span class="cx">     // If we don't have  default parameter expression, then loading |this| inside an arrow function must be done

</span><span class="lines">@@ -639,7 +652,7 @@

</span><span class="cx"> 

</span><span class="cx">     m_codeBlock-&gt;setNumParameters(1);

</span><span class="cx"> 

</span><del>-    pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize);

</del><ins>+    pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize, TDZRequirement::UnderTDZ);

</ins><span class="cx"> 

</span><span class="cx">     emitEnter();

</span><span class="cx"> 

</span><span class="lines">@@ -756,7 +769,7 @@

</span><span class="cx">     else

</span><span class="cx">         constantSymbolTable = addConstantValue(moduleEnvironmentSymbolTable-&gt;cloneScopePart(*m_vm));

</span><span class="cx"> 

</span><del>-    pushTDZVariables(lexicalVariables, TDZCheckOptimization::Optimize);

</del><ins>+    pushTDZVariables(lexicalVariables, TDZCheckOptimization::Optimize, TDZRequirement::UnderTDZ);

</ins><span class="cx">     bool isWithScope = false;

</span><span class="cx">     m_symbolTableStack.append(SymbolTableStackEntry { moduleEnvironmentSymbolTable, m_topMostScope, isWithScope, constantSymbolTable-&gt;index() });

</span><span class="cx">     emitPrefillStackTDZVariables(lexicalVariables, moduleEnvironmentSymbolTable);

</span><span class="lines">@@ -1933,8 +1946,7 @@

</span><span class="cx"> 

</span><span class="cx">     bool isWithScope = false;

</span><span class="cx">     m_symbolTableStack.append(SymbolTableStackEntry{ symbolTable, newScope, isWithScope, symbolTableConstantIndex });

</span><del>-    if (tdzRequirement == TDZRequirement::UnderTDZ)

-        pushTDZVariables(environment, tdzCheckOptimization);

</del><ins>+    pushTDZVariables(environment, tdzCheckOptimization, tdzRequirement);

</ins><span class="cx"> 

</span><span class="cx">     if (tdzRequirement == TDZRequirement::UnderTDZ)

</span><span class="cx">         emitPrefillStackTDZVariables(environment, symbolTable);

</span><span class="lines">@@ -2021,10 +2033,10 @@

</span><span class="cx"> void BytecodeGenerator::popLexicalScope(VariableEnvironmentNode* node)

</span><span class="cx"> {

</span><span class="cx">     VariableEnvironment&amp; environment = node-&gt;lexicalVariables();

</span><del>-    popLexicalScopeInternal(environment, TDZRequirement::UnderTDZ);

</del><ins>+    popLexicalScopeInternal(environment);

</ins><span class="cx"> }

</span><span class="cx"> 

</span><del>-void BytecodeGenerator::popLexicalScopeInternal(VariableEnvironment&amp; environment, TDZRequirement tdzRequirement)

</del><ins>+void BytecodeGenerator::popLexicalScopeInternal(VariableEnvironment&amp; environment)

</ins><span class="cx"> {

<span class="cx">     // NOTE: This function only makes sense for scopes that aren't ScopeRegisterType::Var (only function name scope right now is ScopeRegisterType::Var).

<span class="cx">     // This doesn't make sense for ScopeRegisterType::Var because we deref RegisterIDs here.

</span><span class="lines">@@ -2057,8 +2069,7 @@

</span><span class="cx">         stackEntry.m_scope-&gt;deref();

</span><span class="cx">     }

</span><span class="cx"> 

</span><del>-    if (tdzRequirement == TDZRequirement::UnderTDZ)

-        m_TDZStack.removeLast();

</del><ins>+    m_TDZStack.removeLast();

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> void BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration(VariableEnvironmentNode* node, RegisterID* loopSymbolTable)

</span><span class="lines">@@ -2182,7 +2193,7 @@

</span><span class="cx">             result.setIsReadOnly();

</span><span class="cx">         return result;

</span><span class="cx">     }

</span><del>-

</del><ins>+    

</ins><span class="cx">     return Variable(property);

</span><span class="cx"> }

</span><span class="cx"> 

</span><span class="lines">@@ -2722,9 +2733,10 @@

</span><span class="cx"> bool BytecodeGenerator::needsTDZCheck(const Variable&amp; variable)

</span><span class="cx"> {

</span><span class="cx">     for (unsigned i = m_TDZStack.size(); i--;) {

</span><del>-        VariableEnvironment&amp; identifiers = m_TDZStack[i].first;

-        if (identifiers.contains(variable.ident().impl()))

-            return true;

</del><ins>+        auto iter = m_TDZStack[i].find(variable.ident().impl());

+        if (iter == m_TDZStack[i].end())

+            continue;

+        return iter-&gt;value != TDZNecessityLevel::NotNeeded;

</ins><span class="cx">     }

</span><span class="cx"> 

</span><span class="cx">     return false;

</span><span class="lines">@@ -2747,41 +2759,54 @@

</span><span class="cx"> {

</span><span class="cx">     RefPtr&lt;UniquedStringImpl&gt; identifier(variable.ident().impl());

</span><span class="cx">     for (unsigned i = m_TDZStack.size(); i--;) {

</span><del>-        VariableEnvironment&amp; environment = m_TDZStack[i].first;

-        if (environment.contains(identifier)) {

-            TDZCheckOptimization tdzCheckOptimizationCapability = m_TDZStack[i].second;

-            if (tdzCheckOptimizationCapability == TDZCheckOptimization::Optimize) {

-                bool wasRemoved = environment.remove(identifier);

-                RELEASE_ASSERT(wasRemoved);

-            }

</del><ins>+        auto iter = m_TDZStack[i].find(identifier);

+        if (iter != m_TDZStack[i].end()) {

+            if (iter-&gt;value == TDZNecessityLevel::Optimize)

+                iter-&gt;value = TDZNecessityLevel::NotNeeded;

</ins><span class="cx">             break;

</span><span class="cx">         }

</span><span class="cx">     }

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-void BytecodeGenerator::pushTDZVariables(VariableEnvironment environment, TDZCheckOptimization optimization)

</del><ins>+void BytecodeGenerator::pushTDZVariables(const VariableEnvironment&amp; environment, TDZCheckOptimization optimization, TDZRequirement requirement)

</ins><span class="cx"> {

</span><span class="cx">     if (!environment.size())

</span><span class="cx">         return;

</span><ins>+    

+    TDZNecessityLevel level;

+    if (requirement == TDZRequirement::UnderTDZ) {

+        if (optimization == TDZCheckOptimization::Optimize)

+            level = TDZNecessityLevel::Optimize;

+        else

+            level = TDZNecessityLevel::DoNotOptimize;

+    } else

+        level = TDZNecessityLevel::NotNeeded;

+    

+    TDZMap map;

+    for (const auto&amp; entry : environment)

+        map.add(entry.key, entry.value.isFunction() ? TDZNecessityLevel::NotNeeded : level);

</ins><span class="cx"> 

</span><del>-    Vector&lt;UniquedStringImpl*, 4&gt; functionsToRemove;

-    for (const auto&amp; entry : environment) {

-        if (entry.value.isFunction())

-            functionsToRemove.append(entry.key.get());

-    }

-

-    for (UniquedStringImpl* function : functionsToRemove)

-        environment.remove(function);

-

-    m_TDZStack.append(std::make_pair(WTFMove(environment), optimization));

</del><ins>+    m_TDZStack.append(WTFMove(map));

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> void BytecodeGenerator::getVariablesUnderTDZ(VariableEnvironment&amp; result)

</span><span class="cx"> {

</span><del>-    for (auto&amp; pair : m_TDZStack) {

-        VariableEnvironment&amp; environment = pair.first;

-        for (auto entry : environment)

-            result.add(entry.key.get());

</del><ins>+    // NOTE: This is conservative. If called at &quot;...&quot;, it will report &quot;x&quot; as being under TDZ:

+    //

+    //     {

+    //         {

+    //             let x;

+    //             ...

+    //         }

+    //         let x;

+    //     }

+    //

+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=159387

+    for (auto&amp; map : m_TDZStack) {

+        for (auto&amp; entry : map)  {

+            if (entry.value != TDZNecessityLevel::NotNeeded)

+                result.add(entry.key.get());

+        }

</ins><span class="cx">     }

</span><span class="cx"> }

</span><span class="cx"> 

</span><span class="lines">@@ -3836,7 +3861,7 @@

</span><span class="cx"> 

</span><span class="cx"> void BytecodeGenerator::emitPopCatchScope(VariableEnvironment&amp; environment) 

</span><span class="cx"> {

</span><del>-    popLexicalScopeInternal(environment, TDZRequirement::NotUnderTDZ);

</del><ins>+    popLexicalScopeInternal(environment);

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> void BytecodeGenerator::beginSwitch(RegisterID* scrutineeRegister, SwitchInfo::SwitchType type)

</span><span class="lines">@@ -4631,3 +4656,21 @@

</span><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> } // namespace JSC

</span><ins>+

+namespace WTF {

+

+void printInternal(PrintStream&amp; out, JSC::Variable::VariableKind kind)

+{

+    switch (kind) {

+    case JSC::Variable::NormalVariable:

+        out.print(&quot;Normal&quot;);

+        return;

+    case JSC::Variable::SpecialVariable:

+        out.print(&quot;Special&quot;);

+        return;

+    }

+    RELEASE_ASSERT_NOT_REACHED();

+}

+

+} // namespace WTF

+

</ins></span></pre></div>

<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -238,6 +238,8 @@

</span><span class="cx">         bool isConst() const { return isReadOnly() &amp;&amp; m_isLexicallyScoped; }

</span><span class="cx">         void setIsReadOnly() { m_attributes |= ReadOnly; }

</span><span class="cx"> 

</span><ins>+        void dump(PrintStream&amp;) const;

+

</ins><span class="cx">     private:

</span><span class="cx">         Identifier m_ident;

</span><span class="cx">         VarOffset m_offset;

</span><span class="lines">@@ -728,7 +730,7 @@

</span><span class="cx">         enum class ScopeRegisterType { Var, Block };

</span><span class="cx">         void pushLexicalScopeInternal(VariableEnvironment&amp;, TDZCheckOptimization, NestedScopeType, RegisterID** constantSymbolTableResult, TDZRequirement, ScopeType, ScopeRegisterType);

</span><span class="cx">         void initializeBlockScopedFunctions(VariableEnvironment&amp;, FunctionStack&amp;, RegisterID* constantSymbolTable);

</span><del>-        void popLexicalScopeInternal(VariableEnvironment&amp;, TDZRequirement);

</del><ins>+        void popLexicalScopeInternal(VariableEnvironment&amp;);

</ins><span class="cx">         template&lt;typename LookUpVarKindFunctor&gt;

</span><span class="cx">         bool instantiateLexicalVariables(const VariableEnvironment&amp;, SymbolTable*, ScopeRegisterType, LookUpVarKindFunctor);

</span><span class="cx">         void emitPrefillStackTDZVariables(const VariableEnvironment&amp;, SymbolTable*);

</span><span class="lines">@@ -881,9 +883,15 @@

</span><span class="cx">             int m_symbolTableConstantIndex;

</span><span class="cx">         };

</span><span class="cx">         Vector&lt;SymbolTableStackEntry&gt; m_symbolTableStack;

</span><del>-        Vector&lt;std::pair&lt;VariableEnvironment, TDZCheckOptimization&gt;&gt; m_TDZStack;

</del><ins>+        enum class TDZNecessityLevel {

+            NotNeeded,

+            Optimize,

+            DoNotOptimize

+        };

+        typedef HashMap&lt;RefPtr&lt;UniquedStringImpl&gt;, TDZNecessityLevel, IdentifierRepHash&gt; TDZMap;

+        Vector&lt;TDZMap&gt; m_TDZStack;

</ins><span class="cx">         Optional&lt;size_t&gt; m_varScopeSymbolTableIndex;

</span><del>-        void pushTDZVariables(VariableEnvironment, TDZCheckOptimization);

</del><ins>+        void pushTDZVariables(const VariableEnvironment&amp;, TDZCheckOptimization, TDZRequirement);

</ins><span class="cx"> 

</span><span class="cx">         ScopeNode* const m_scopeNode;

</span><span class="cx">         Strong&lt;UnlinkedCodeBlock&gt; m_codeBlock;

</span><span class="lines">@@ -965,4 +973,10 @@

</span><span class="cx"> 

</span><span class="cx"> }

</span><span class="cx"> 

</span><ins>+namespace WTF {

+

+void printInternal(PrintStream&amp;, JSC::Variable::VariableKind);

+

+} // namespace WTF

+

</ins><span class="cx"> #endif // BytecodeGenerator_h

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoreinterpreterCallFrameh"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/CallFrame.h (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/interpreter/CallFrame.h        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/JavaScriptCore/interpreter/CallFrame.h        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -149,7 +149,7 @@

</span><span class="cx">         

</span><span class="cx">         // This will get you a CodeOrigin. It will always succeed. May return

<span class="cx">         // CodeOrigin(0) if we're in native code.

</span><del>-        CodeOrigin codeOrigin();

</del><ins>+        JS_EXPORT_PRIVATE CodeOrigin codeOrigin();

</ins><span class="cx"> 

</span><span class="cx">         Register* topOfFrame()

</span><span class="cx">         {

</span></span></pre></div>

<a id="trunkSourceJavaScriptCoretestsstresslifttdzbypasscatchjs"></a>

<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/lift-tdz-bypass-catch.js (0 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/lift-tdz-bypass-catch.js                                (rev 0)

+++ trunk/Source/JavaScriptCore/tests/stress/lift-tdz-bypass-catch.js        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -0,0 +1,10 @@

</span><ins>+//@ runDefault

+

+function foo () {

+try{}catch(e){}print(e);let e;

+}

+

+try {

+    foo();

+} catch (e) {}

+

</ins></span></pre></div>

<a id="trunkSourceWTFbenchmarksLockFairnessTestcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/WTF/benchmarks/LockFairnessTest.cpp (202777 => 202778)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/WTF/benchmarks/LockFairnessTest.cpp        2016-07-02 11:29:42 UTC (rev 202777)

+++ trunk/Source/WTF/benchmarks/LockFairnessTest.cpp        2016-07-02 17:43:56 UTC (rev 202778)

</span><span class="lines">@@ -48,12 +48,13 @@

</span><span class="cx"> 

</span><span class="cx"> NO_RETURN void usage()

</span><span class="cx"> {

</span><del>-    printf(&quot;Usage: LockFairnessTest yieldspinlock|pausespinlock|wordlock|lock|barginglock|bargingwordlock|thunderlock|thunderwordlock|cascadelock|cascadewordlockhandofflock|mutex|all &lt;num threads&gt; &lt;seconds per test&gt;\n&quot;);

</del><ins>+    printf(&quot;Usage: LockFairnessTest yieldspinlock|pausespinlock|wordlock|lock|barginglock|bargingwordlock|thunderlock|thunderwordlock|cascadelock|cascadewordlockhandofflock|mutex|all &lt;num threads&gt; &lt;seconds per test&gt; &lt;microseconds in critical section&gt;\n&quot;);

</ins><span class="cx">     exit(1);

</span><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> unsigned numThreads;

</span><span class="cx"> double secondsPerTest;

</span><ins>+unsigned microsecondsInCriticalSection;

</ins><span class="cx"> 

</span><span class="cx"> struct Benchmark {

</span><span class="cx">     template&lt;typename LockType&gt;

</span><span class="lines">@@ -72,9 +73,19 @@

</span><span class="cx">             threads[threadIndex] = createThread(

</span><span class="cx">                 &quot;Benchmark Thread&quot;,

</span><span class="cx">                 [&amp;, threadIndex] () {

</span><ins>+                    if (!microsecondsInCriticalSection) {

+                        while (keepGoing) {

+                            lock.lock();

+                            counts[threadIndex]++;

+                            lock.unlock();

+                        }

+                        return;

+                    }

+                    

</ins><span class="cx">                     while (keepGoing) {

</span><span class="cx">                         lock.lock();

</span><span class="cx">                         counts[threadIndex]++;

</span><ins>+                        usleep(microsecondsInCriticalSection);

</ins><span class="cx">                         lock.unlock();

</span><span class="cx">                     }

</span><span class="cx">                 });

</span><span class="lines">@@ -106,9 +117,10 @@

</span><span class="cx"> {

</span><span class="cx">     WTF::initializeThreading();

</span><span class="cx">     

</span><del>-    if (argc != 4

</del><ins>+    if (argc != 5

</ins><span class="cx">         || sscanf(argv[2], &quot;%u&quot;, &amp;numThreads) != 1

</span><del>-        || sscanf(argv[3], &quot;%lf&quot;, &amp;secondsPerTest) != 1)

</del><ins>+        || sscanf(argv[3], &quot;%lf&quot;, &amp;secondsPerTest) != 1

+        || sscanf(argv[4], &quot;%u&quot;, &amp;microsecondsInCriticalSection) != 1)

</ins><span class="cx">         usage();

</span><span class="cx">     

</span><span class="cx">     runEverything&lt;Benchmark&gt;(argv[1]);

</span></span></pre>

</div>

</div>

</body>

</html>