Class members which capture super via dot (super.constructor) end up getting the wrong value

boingoing · boingoing · commit b1cb0792bcac · 2019-02-07T23:48:56.000-08:00
We were using the wrong bytecode register when emitting LdHomeObjProto in the case of a lambda capturing super via a dot reference. Consider this Javascript: ```javascript class A { } class B extends A { foo() { const _s = () => super.constructor; console.log(_s().name); } } ``` The member function foo correctly stashes this and super but the lambda needs to load them from the environment and it was loading them into the same register. Here's the incorrect bytecode: ``` Function _s ( (#1.5), #6) (In0) (size: 8 [8]) 5 locals (2 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 13: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R3 = [1][3] <1> 000c LdHomeObjProto R4 R3 0011 ProfiledLdSuperFld R0 = R4(this=R3). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ``` With the fix in this PR, here's the bytecode we get for _s: ``` Function _s ( (#1.5), #6) (In0) (size: 8 [8]) 6 locals (3 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 56: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R4 = [1][3] <1> 000c LdHomeObjProto R5 R3 0011 ProfiledLdSuperFld R0 = R5(this=R4). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ```
diff --git a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp
@@ -10833,44 +10833,37 @@ void Emit(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator, FuncInfo *func
     case knopDot:
     {
         Emit(pnode->AsParseNodeBin()->pnode1, byteCodeGenerator, funcInfo, false);
-        funcInfo->ReleaseLoc(pnode->AsParseNodeBin()->pnode1);
-        funcInfo->AcquireLoc(pnode);
-        Js::PropertyId propertyId = pnode->AsParseNodeBin()->pnode2->AsParseNodeName()->PropertyIdFromNameNode();
 
         Js::RegSlot callObjLocation = pnode->AsParseNodeBin()->pnode1->location;
         Js::RegSlot protoLocation = callObjLocation;
 
+        if (ByteCodeGenerator::IsSuper(pnode->AsParseNodeBin()->pnode1))
+        {
+            Emit(pnode->AsParseNodeSuperReference()->pnodeThis, byteCodeGenerator, funcInfo, false);
+            protoLocation = byteCodeGenerator->EmitLdObjProto(Js::OpCode::LdHomeObjProto, callObjLocation, funcInfo);
+            funcInfo->ReleaseLoc(pnode->AsParseNodeSuperReference()->pnodeThis);
+        }
+
+        funcInfo->ReleaseLoc(pnode->AsParseNodeBin()->pnode1);
+        funcInfo->AcquireLoc(pnode);
+        Js::PropertyId propertyId = pnode->AsParseNodeBin()->pnode2->AsParseNodeName()->PropertyIdFromNameNode();
+        uint cacheId = funcInfo->FindOrAddInlineCacheId(protoLocation, propertyId, false, false);
+
         if (propertyId == Js::PropertyIds::length)
         {
-            uint cacheId = funcInfo->FindOrAddInlineCacheId(protoLocation, propertyId, false, false);
             byteCodeGenerator->Writer()->PatchableProperty(Js::OpCode::LdLen_A, pnode->location, protoLocation, cacheId);
         }
         else if (pnode->IsCallApplyTargetLoad())
         {
-            if (ByteCodeGenerator::IsSuper(pnode->AsParseNodeBin()->pnode1))
-            {
-                Emit(pnode->AsParseNodeSuperReference()->pnodeThis, byteCodeGenerator, funcInfo, false);
-                protoLocation = byteCodeGenerator->EmitLdObjProto(Js::OpCode::LdHomeObjProto, callObjLocation, funcInfo);
-                funcInfo->ReleaseLoc(pnode->AsParseNodeSuperReference()->pnodeThis);
-            }
-            uint cacheId = funcInfo->FindOrAddInlineCacheId(protoLocation, propertyId, false, false);
             byteCodeGenerator->Writer()->PatchableProperty(Js::OpCode::LdFldForCallApplyTarget, pnode->location, protoLocation, cacheId);
         }
+        else if (ByteCodeGenerator::IsSuper(pnode->AsParseNodeBin()->pnode1))
+        {
+            byteCodeGenerator->Writer()->PatchablePropertyWithThisPtr(Js::OpCode::LdSuperFld, pnode->location, protoLocation, pnode->AsParseNodeSuperReference()->pnodeThis->location, cacheId, isConstructorCall);
+        }
         else
         {
-            if (ByteCodeGenerator::IsSuper(pnode->AsParseNodeBin()->pnode1))
-            {
-                Emit(pnode->AsParseNodeSuperReference()->pnodeThis, byteCodeGenerator, funcInfo, false);
-                protoLocation = byteCodeGenerator->EmitLdObjProto(Js::OpCode::LdHomeObjProto, callObjLocation, funcInfo);
-                funcInfo->ReleaseLoc(pnode->AsParseNodeSuperReference()->pnodeThis);
-                uint cacheId = funcInfo->FindOrAddInlineCacheId(protoLocation, propertyId, false, false);
-                byteCodeGenerator->Writer()->PatchablePropertyWithThisPtr(Js::OpCode::LdSuperFld, pnode->location, protoLocation, pnode->AsParseNodeSuperReference()->pnodeThis->location, cacheId, isConstructorCall);
-            }
-            else
-            {
-                uint cacheId = funcInfo->FindOrAddInlineCacheId(callObjLocation, propertyId, false, false);
-                byteCodeGenerator->Writer()->PatchableProperty(Js::OpCode::LdFld, pnode->location, callObjLocation, cacheId, isConstructorCall);
-            }
+            byteCodeGenerator->Writer()->PatchableProperty(Js::OpCode::LdFld, pnode->location, callObjLocation, cacheId, isConstructorCall);
         }
 
         break;
diff --git a/test/es6/rlexe.xml b/test/es6/rlexe.xml
@@ -1505,4 +1505,10 @@
     <compile-flags>-args summary -endargs</compile-flags>
   </default>
 </test>
+<test>
+  <default>
+    <files>super_bugs.js</files>
+    <compile-flags>-args summary -endargs</compile-flags>
+  </default>
+</test>
 </regress-exe>
diff --git a/test/es6/super_bugs.js b/test/es6/super_bugs.js
@@ -0,0 +1,82 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+WScript.LoadScriptFile("..\\UnitTestFramework\\UnitTestFramework.js");
+
+var tests = [
+    {
+       name: "Class member captures super as index reference via a lambda",
+       body: function ()
+       {
+           class Base {}
+           class Derived extends Base {
+               test() {
+                   const _s = name => super[name];
+                   return _s('constructor').name;
+               }
+           }
+           
+           assert.areEqual("Base", new Derived().test());
+       }
+    },
+    {
+       name: "Class member captures super as dot reference via a lambda",
+       body: function ()
+       {
+           class Base {}
+           class Derived extends Base {
+               test() {
+                   const _s = () => super.constructor;
+                   return _s().name;
+               }
+           }
+           
+           assert.areEqual("Base", new Derived().test());
+       }
+    },
+    {
+       name: "Class member captures super as dot reference via object with a getter",
+       body: function ()
+       {
+           class Base {}
+           class Derived extends Base {
+               test() {
+                   const _super = Object.create(null, {
+                       constructor: {
+                           get: () => super.constructor
+                       }
+                   });
+                   
+                   return _super.constructor.name;
+               }
+           }
+           
+           assert.areEqual("Base", new Derived().test());
+       }
+    },
+    {
+       name: "Class member captures super in lambda via getter from outer super reference",
+       body: function ()
+       {
+           class Base {}
+           class Derived extends Base {
+               test() {
+                   const con = super.constructor;
+                   const prop2 = {
+                       constructor: {
+                           get: () => con
+                       }
+                   };
+                   const _super2 = Object.create(null, prop2);
+                   return _super2.constructor.name;
+               }
+           }
+           
+           assert.areEqual("Base", new Derived().test());
+       }
+    },
+];
+
+testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });
