[Webkit-unassigned] [Bug 157079] Assertion failure for super() call in arrow function default parameters

Sun May 8 13:13:25 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=157079

--- Comment #2 from GSkachkov <gskachkov at gmail.com> ---
Good catch!
It seems that we mismatch the scope when we resolve scope for 'super()'. There is byte code for arrow function in little bit modified test:
----
new class extends Array { constructor() { var abc = 0;  ((a = super())=>{ debug(abc);})() } }
----

----
[   0] enter             
[   1] get_scope         loc3
[   3] mov               loc4, loc3
[   6] mov               loc6, <JSValue()>(const1)
[   9] mov               loc7, arg1
[  12] is_undefined      loc8, arg1
[  15] jfalse            loc8, 80(->95)
[  18] resolve_scope     loc9, loc3, PrivateSymbol.derivedConstructor(@id0), <ClosureVar>, 0, 0x1077dbd60
[  25] get_from_scope    loc9, loc9, PrivateSymbol.derivedConstructor(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 3    predicting None
[  33] get_by_id         loc9, loc9, __proto__(@id1)    predicting None
[  42] mov               loc10, loc5
[  45] construct         loc7, loc9, 1, 16 status(Could Take Slow Path)    predicting None
[  54] resolve_scope     loc11, loc3, this(@id2), <ClosureVar>, 0, 0x1077dbd60
[  61] get_from_scope    this, loc11, this(@id2), 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, 1    predicting None
[  69] is_empty          loc11, this
[  72] jtrue             loc11, 6(->78)
[  75] throw_static_error String (atomic) (identifier): 'super()' can't be called more than once in a constructor., ID: 4(const2), true
[  78] mov               this, loc7
[  81] resolve_scope     loc11, loc3, this(@id2), <ClosureVar>, 0, 0x1077dbd60
[  88] put_to_scope      loc11, this(@id2), this, 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, <structure>, 1
[  95] mov               loc6, loc7
[  98] resolve_scope     loc7, loc3, PrivateSymbol.newTargetLocal(@id3), <ClosureVar>, 0, 0x1077dbd60
[ 105] get_from_scope    loc5, loc7, PrivateSymbol.newTargetLocal(@id3), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 2    predicting None
[ 113] resolve_scope     loc10, loc3, debug(@id4), <GlobalProperty>, 2, 0x1077df900
[ 120] get_from_scope    loc7, loc10, debug(@id4), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 120    predicting None
[ 128] resolve_scope     loc9, loc3, abc(@id5), <ClosureVar>, 0, 0x1077dbd60
[ 135] get_from_scope    loc9, loc9, abc(@id5), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 143] call              loc7, loc7, 2, 16 status(Could Take Slow Path)    Original; predicting None
[ 152] ret               Undefined(const3)
----

line [18]-resolve scope for 'super()' and [128] resolve scope for 'abc', do resolve with the same scope 0x1077dbd60, but should with different scopes

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160508/69fc83bf/attachment.html>