WebKit Bugzilla
Attachment 359061 Details for
Bug 193404
: [BigInt] Literal parsing is crashing when used inside a Object Literal
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-193404-20190114164347.patch (text/plain), 3.19 KB, created by
Caio Lima
on 2019-01-14 11:43:49 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Caio Lima
Created:
2019-01-14 11:43:49 PST
Size:
3.19 KB
patch
obsolete
>Subversion Revision: 239923 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index df789492e590f3dfa3f17ecf18bd2e2555334e42..a4ebae8cdcd83b8c59b94419dd7834333a764330 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2019-01-14 Caio Lima <ticaiolima@gmail.com> >+ >+ [BigInt] Literal parsing is crashing when used inside a Object Literal >+ https://bugs.webkit.org/show_bug.cgi?id=193404 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Former implementation was relying into token.m_data.radix after the >+ call of `next()` into Parser.cpp. This is not safe because next >+ clobbers token.m_data.radix in some cases (e.g is CLOSEBRACE). >+ Now we get radix value before calling `next()` into parser and store >+ in a local variable. >+ >+ * parser/Parser.cpp: >+ (JSC::Parser<LexerType>::parsePrimaryExpression): >+ > 2019-01-12 Timothy Hatcher <timothy@apple.com> > > Have prefers-color-scheme: light always match on macOS versions before Mojave. >diff --git a/Source/JavaScriptCore/parser/Parser.cpp b/Source/JavaScriptCore/parser/Parser.cpp >index 922f41dccc1ba59e11cd2eaeca1c3249679afdba..4b840d3ec340b0431277a5cfa3e6b546bcf866ba 100644 >--- a/Source/JavaScriptCore/parser/Parser.cpp >+++ b/Source/JavaScriptCore/parser/Parser.cpp >@@ -4519,9 +4519,10 @@ template <class TreeBuilder> TreeExpression Parser<LexerType>::parsePrimaryExpre > } > case BIGINT: { > const Identifier* ident = m_token.m_data.bigIntString; >+ uint8_t radix = m_token.m_data.radix; > JSTokenLocation location(tokenLocation()); > next(); >- return context.createBigInt(location, ident, m_token.m_data.radix); >+ return context.createBigInt(location, ident, radix); > } > case STRING: { > const Identifier* ident = m_token.m_data.ident; >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index a915dfe21c0791fda1190e0cc6d8d00048b1205e..4ba07cbb18f8123b3fe6786dfb372969bd2627c9 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,12 @@ >+2019-01-14 Caio Lima <ticaiolima@gmail.com> >+ >+ [BigInt] Literal parsing is crashing when used inside a Object Literal >+ https://bugs.webkit.org/show_bug.cgi?id=193404 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/big-int-literal-inside-literal-object.js: Added. >+ > 2019-01-11 Saam barati <sbarati@apple.com> > > DFG combined liveness can be wrong for terminal basic blocks >diff --git a/JSTests/stress/big-int-literal-inside-literal-object.js b/JSTests/stress/big-int-literal-inside-literal-object.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d1f9072ddc8a3b0dfc95da50c21d2fde9ca837e9 >--- /dev/null >+++ b/JSTests/stress/big-int-literal-inside-literal-object.js >@@ -0,0 +1,21 @@ >+//@ runBigIntEnabled >+ >+var assert = { >+ sameValue: function (input, expected) { >+ if (input !== expected) >+ throw new Error('Expected: ' + expected + ' but got: ' + input); >+ } >+}; >+ >+var x = {y:1n} >+assert.sameValue(x.y, 1n); >+ >+x = {y:{z:1n}}; >+assert.sameValue(x.y.z, 1n); >+ >+x = {y:-1212n} >+assert.sameValue(x.y, -1212n); >+ >+x = {y:{z:-22312n}}; >+assert.sameValue(x.y.z, -22312n); >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=359061">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193404
: 359061