RESOLVED FIXED 236843
[JSC] ReferenceError when using extra parens in class fields
https://bugs.webkit.org/show_bug.cgi?id=236843
Summary [JSC] ReferenceError when using extra parens in class fields
Liam Mitchell
Reported Friday, February 18, 2022 5:28:49 PM UTC
Created attachment 452527 [details] Two reproducible examples Extra params inside class field declarations cause ReferenceErrors. Example 1: ;(() => { const a = (x) => x class B { c = a(('OK')); } // Should write 'OK' document.write(new B().c) })() Throws ReferenceError: Can't find variable: a Example 2: ;(() => { const a = 'OK' class B { static c = { d: a, e: (1), } } // Should write 'OK' document.write(B.c.d) })() Throws ReferenceError: Can't find variable: a Tested on Safari TP 15.4, Safari 15.2, 15.3, iOS 14.5, 15.0
Attachments
Two reproducible examples (501 bytes, text/html)
2022-02-18 09:28 PST, Liam Mitchell
no flags
Patch (5.21 KB, patch)
2022-03-21 02:37 PDT, Yusuke Suzuki
no flags
Liam Mitchell
Comment 1 Saturday, February 19, 2022 5:18:20 AM UTC
This is only reproducible without dev tools. If dev tools is open, the code works as expected.
Radar WebKit Bug Importer
Comment 2 Wednesday, February 23, 2022 11:41:02 PM UTC
Keith Miller
Comment 3 Friday, March 4, 2022 9:29:30 PM UTC
Hi Liam, Thanks for the report! Given that it doesn't happen with the DevTools open it sounds like this could be a JIT bug.
Keith Miller
Comment 4 Friday, March 4, 2022 9:30:25 PM UTC
Actually I'm not so sure it's a JIT bug; you don't have any loops in the code you're running.
Keith Miller
Comment 5 Friday, March 4, 2022 9:38:21 PM UTC
Looks like we're failing to create a lexical environment when the extra parens are there for some reason... (function foo() { const a = (x) => x class B { // c = a('OK'); c = a(('OK')); } // Should write 'OK' print(new B().c) })() produces the following byte code: foo#CMKAuY:[0x1078f4130->0x107871300, NoneFunctionCall, 100]: 25 instructions (0 16-bit instructions, 0 32-bit instructions, 8 instructions with metadata); 216 bytes (116 metadata bytes); 1 parameter(s); 20 callee register(s); 7 variable(s); scope at loc4 bb#1 Predecessors: [ ] [ 0] enter [ 1] get_scope dst:loc4 [ 3] mov dst:loc5, src:loc4 [ 6] check_traps [ 7] mov dst:loc6, src:callee [ 10] mov dst:loc7, src:<JSValue()>(const0) [ 13] mov dst:loc8, src:<JSValue()>(const0) [ 16] new_func_exp dst:loc7, scope:loc4, functionDecl:0 [ 20] mov dst:loc9, src:<JSValue()>(const0) [ 23] new_func_exp dst:loc10, scope:loc4, functionDecl:1 [ 27] new_object dst:loc11, inlineCapacity:0 [ 31] define_data_property base:loc11, property:String (atomic),8Bit:(1),length:(11): constructor, StructureID: 16608(const1), value:loc10, attributes:Int32: 89(const2) [ 36] define_data_property base:loc10, property:String (atomic),8Bit:(1),length:(9): prototype, StructureID: 16608(const3), value:loc11, attributes:Int32: 74(const4) [ 41] new_func_exp dst:loc12, scope:loc4, functionDecl:2 [ 45] put_by_id base:loc12, property:0, value:loc11, flags:Strict [ 51] put_by_id base:loc10, property:1, value:loc12, flags:IsDirect|Strict [ 57] mov dst:loc9, src:loc10 [ 60] mov dst:loc8, src:loc10 [ 63] resolve_scope dst:loc12, scope:loc4, var:2, resolveType:GlobalProperty, localScopeDepth:0 [ 70] get_from_scope dst:loc9, scope:loc12, var:2, getPutInfo:2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, localScopeDepth:0, offset:0 [ 78] mov dst:loc14, src:loc8 [ 81] construct dst:loc13, callee:loc8, argc:1, argv:20 [ 87] get_by_id dst:loc11, base:loc13, property:3 [ 92] call dst:loc9, callee:loc9, argc:2, argv:18 [ 98] ret value:Undefined(const5) Successors: [ ] but if the comments are flipped we get: foo#CpArJP:[0x103ff4130->0x103f71300, NoneFunctionCall, 113]: 27 instructions (0 16-bit instructions, 0 32-bit instructions, 9 instructions with metadata); 229 bytes (116 metadata bytes); 1 parameter(s); 20 callee register(s); 7 variable(s); scope at loc4 bb#1 Predecessors: [ ] [ 0] enter [ 1] get_scope dst:loc4 [ 3] mov dst:loc5, src:loc4 [ 6] check_traps [ 7] mov dst:loc6, src:callee [ 10] create_lexical_environment dst:loc8, scope:loc4, symbolTable:Cell: 0x104100da8 (0x280004700:[0x4700/18176, SymbolTable, (0/0, 0/0){}, NonArray, Leaf]), StructureID: 18176(const0), initialValue:<JSValue()>(const1) [ 15] mov dst:loc4, src:loc8 [ 18] mov dst:loc7, src:<JSValue()>(const1) [ 21] new_func_exp dst:loc9, scope:loc4, functionDecl:0 [ 25] put_to_scope scope:loc8, var:0, value:loc9, getPutInfo:1049604<DoNotThrowIfNotFound|ResolvedClosureVar|ConstInitialization|NotStrictMode>, symbolTableOrScopeDepth:0, offset:0 [ 33] mov dst:loc9, src:<JSValue()>(const1) [ 36] new_func_exp dst:loc10, scope:loc4, functionDecl:1 [ 40] new_object dst:loc11, inlineCapacity:0 [ 44] define_data_property base:loc11, property:String (atomic),8Bit:(1),length:(11): constructor, StructureID: 16608(const2), value:loc10, attributes:Int32: 89(const3) [ 49] define_data_property base:loc10, property:String (atomic),8Bit:(1),length:(9): prototype, StructureID: 16608(const4), value:loc11, attributes:Int32: 74(const5) [ 54] new_func_exp dst:loc12, scope:loc4, functionDecl:2 [ 58] put_by_id base:loc12, property:1, value:loc11, flags:Strict [ 64] put_by_id base:loc10, property:2, value:loc12, flags:IsDirect|Strict [ 70] mov dst:loc9, src:loc10 [ 73] mov dst:loc7, src:loc10 [ 76] resolve_scope dst:loc12, scope:loc4, var:3, resolveType:GlobalProperty, localScopeDepth:1 [ 83] get_from_scope dst:loc9, scope:loc12, var:3, getPutInfo:2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, localScopeDepth:1, offset:0 [ 91] mov dst:loc14, src:loc7 [ 94] construct dst:loc13, callee:loc7, argc:1, argv:20 [ 100] get_by_id dst:loc11, base:loc13, property:4 [ 105] call dst:loc9, callee:loc9, argc:2, argv:18 [ 111] ret value:Undefined(const6) Successors: [ ]
Yusuke Suzuki
Comment 6 Monday, March 21, 2022 10:37:26 AM UTC
Saam Barati
Comment 7 Monday, March 21, 2022 8:04:15 PM UTC
Comment on attachment 455222 [details] Patch r=me
EWS
Comment 8 Monday, March 21, 2022 8:58:29 PM UTC
Committed r291577 (248677@main): <https://commits.webkit.org/248677@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 455222 [details].
Note You need to log in before you can comment on or make changes to this bug.