Bug 665286 - crash on yield in arguments list (r=cdleary)

2011-06-23 18:20:31 -04:00 · 2011-06-23 18:20:31 -04:00 · a118c1779b
--- a/js/src/jsemit.h
+++ b/js/src/jsemit.h
@ -293,7 +293,8 @@ struct JSTreeContext {              /* tree context for semantic checks */
    uint32          flags;          /* statement state flags, see above */
    uint32          bodyid;         /* block number of program/function body */
    uint32          blockidGen;     /* preincremented block number generator */
-    uint32          parenDepth;     /* paren-nesting depth */
+    uint32          parenDepth;     /* nesting depth of parens that might turn out
+                                       to be generator expressions */
    uint32          yieldCount;     /* number of |yield| tokens encountered at
                                       non-zero depth in current paren tree */
    uint32          argumentsCount; /* number of |arguments| references encountered
--- a/js/src/jsparse.cpp
+++ b/js/src/jsparse.cpp
@ -7256,6 +7256,27 @@ static const char js_generator_str[] = "generator";
 #endif /* JS_HAS_GENERATOR_EXPRS */
 #endif /* JS_HAS_GENERATORS */

+/*
+ * Check whether a |yield| token has been encountered since the last reset point
+ * (the creation of the tree context or the current GenexpGuard), and if so,
+ * note that the current function is a generator function.
+ *
+ * Call this after the current GenexpGuard has determined whether it was inside
+ * of a generator expression.
+ */
+bool
+Parser::maybeNoteGenerator()
+{
+    if (tc->yieldCount > 0) {
+        tc->flags |= TCF_FUN_IS_GENERATOR;
+        if (!tc->inFunction()) {
+            reportErrorNumber(NULL, JSREPORT_ERROR, JSMSG_BAD_RETURN_OR_YIELD, js_yield_str);
+            return false;
+        }
+    }
+    return true;
+}
+
 JSBool
 Parser::argumentList(JSParseNode *listNode)
 {
@ -7263,11 +7284,17 @@ Parser::argumentList(JSParseNode *listNode)
        return JS_TRUE;

    GenexpGuard guard(tc);
+    bool arg0 = true;

    do {
        JSParseNode *argNode = assignExpr();
        if (!argNode)
            return JS_FALSE;
+        if (arg0) {
+            guard.endBody();
+            arg0 = false;
+        }
+
 #if JS_HAS_GENERATORS
        if (argNode->pn_type == TOK_YIELD &&
            !argNode->pn_parens &&
@ -7294,11 +7321,13 @@ Parser::argumentList(JSParseNode *listNode)
        listNode->append(argNode);
    } while (tokenStream.matchToken(TOK_COMMA));

+    if (!maybeNoteGenerator())
+        return NULL;
+
    if (tokenStream.getToken() != TOK_RP) {
        reportErrorNumber(NULL, JSREPORT_ERROR, JSMSG_PAREN_AFTER_ARGS);
        return JS_FALSE;
    }
-    guard.endBody();
    return JS_TRUE;
 }

@ -8899,13 +8928,8 @@ Parser::parenExpr(JSBool *genexp)
    }
 #endif /* JS_HAS_GENERATOR_EXPRS */

-    if (tc->yieldCount > 0) {
-        tc->flags |= TCF_FUN_IS_GENERATOR;
-        if (!tc->inFunction()) {
-            reportErrorNumber(NULL, JSREPORT_ERROR, JSMSG_BAD_RETURN_OR_YIELD, js_yield_str);
+    if (!maybeNoteGenerator())
        return NULL;
-        }
-    }

    return pn;
 }
--- a/js/src/jsparse.h
+++ b/js/src/jsparse.h
@ -1137,6 +1137,8 @@ struct Parser : private js::AutoGCRooter
    inline bool reportErrorNumber(JSParseNode *pn, uintN flags, uintN errorNumber, ...);

 private:
+    bool maybeNoteGenerator();
+
    /*
     * JS parsers, from lowest to highest precedence.
     *
--- a/js/src/tests/js1_8/genexps/jstests.list
+++ b/js/src/tests/js1_8/genexps/jstests.list
@ -9,3 +9,4 @@ script regress-380237-03.js
 skip script regress-380237-04.js # obsolete test, need to remove minor failures to reenable.
 script regress-384991.js
 script regress-634472.js
+script regress-665286.js
--- a/js/src/tests/js1_8/genexps/regress-634472.js
+++ b/js/src/tests/js1_8/genexps/regress-634472.js
@ -94,7 +94,8 @@ const cases = [
  { expr: "(yield, 1 for (x in []))",        top: JSMSG_TOP_YIELD, fun: JSMSG_YIELD_PAREN,  gen: JSMSG_YIELD_PAREN,  desc: "simple yield in list in genexp" },
  { expr: "(yield 1, 2 for (x in []))",      top: JSMSG_TOP_YIELD, fun: JSMSG_YIELD_PAREN,  gen: JSMSG_YIELD_PAREN,  desc: "yield w/ arg in list in genexp" },
  { expr: "(1, yield for (x in []))",        top: JSMSG_TOP_YIELD, fun: JSMSG_GENERIC,      gen: JSMSG_GENERIC,      desc: "simple yield at end of list in genexp" },
-  { expr: "(1, yield 2 for (x in []))",      top: JSMSG_TOP_YIELD, fun: JSMSG_GENEXP_YIELD, gen: JSMSG_GENEXP_YIELD, desc: "yield w/ arg at end of list in genexp" },
+  { expr: "(1, yield 2 for (x in []))",      top: JSMSG_TOP_YIELD, fun: { simple: JSMSG_GENEXP_YIELD, call: JSMSG_GENEXP_PAREN },
+                                                                                            gen: JSMSG_GENEXP_YIELD, desc: "yield w/ arg at end of list in genexp" },
  { expr: "((yield) for (x in []))",         top: JSMSG_TOP_YIELD, fun: JSMSG_GENEXP_YIELD, gen: JSMSG_GENEXP_YIELD, desc: "simple yield, parenthesized in genexp" },
  { expr: "((yield 1) for (x in []))",       top: JSMSG_TOP_YIELD, fun: JSMSG_GENEXP_YIELD, gen: JSMSG_GENEXP_YIELD, desc: "yield w/ arg, parenthesized in genexp" },
  { expr: "(1, (yield) for (x in []))",      top: JSMSG_TOP_YIELD, fun: JSMSG_GENEXP_YIELD, gen: JSMSG_GENEXP_YIELD, desc: "simple yield, parenthesized in list in genexp" },
--- a/js/src/tests/js1_8/genexps/regress-665286.js
+++ b/js/src/tests/js1_8/genexps/regress-665286.js
@ -0,0 +1,65 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is JavaScript Engine testing utilities.
+ *
+ * The Initial Developer of the Original Code is
+ * Mozilla Foundation.
+ * Portions created by the Initial Developer are Copyright (C) 2007
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s): Dave Herman
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+//-----------------------------------------------------------------------------
+var BUGNUMBER = 665286;
+var summary = 'yield in arguments list';
+var actual = '';
+var expect = '';
+
+function reported() {
+    function f() {
+        x
+    }
+    f(yield #2=[])
+}
+
+function simplified1() {
+    print(yield)
+}
+
+function simplified2() {
+    print(1, yield)
+}
+
+reportCompare(reported.isGenerator(), true, "reported case: is generator");
+reportCompare(typeof reported(), "object", "reported case: calling doesn't crash");
+reportCompare(simplified1.isGenerator(), true, "simplified case 1: is generator");
+reportCompare(typeof simplified1(), "object", "simplified case 1: calling doesn't crash");
+reportCompare(simplified2.isGenerator(), true, "simplified case 2: is generator");
+reportCompare(typeof simplified2(), "object", "simplified case 2: calling doesn't crash");