Bug 19400

Summary: subscript operator does not protect base when necessary
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, mjs, zwarich
Priority: P2 Keywords: HasReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Proposed patch mjs: review+

Oliver Hunt
Reported 2008-06-04 21:48:33 PDT
in the expression var a = [-1]; print(a[++a]) the result should be '0', but instead is 'undefined', as the code emitted does pre_inc a get_by_val result, a, a ... but should actually do mov temp, a pre_inc a get_by_val result, temp, a The issue is that we don't guard the base against potential modification by the subscript expression
Attachments
Proposed patch (7.11 KB, patch)
2008-06-05 01:50 PDT, Cameron Zwarich (cpst) 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-06-05 01:50:17 PDT
Created attachment 21506 [details] Proposed patch Here's a fix. It is a slight progression on SunSpider for me, and it doesn't affect very much codegen. I can post the diffs if anyone is interested.
Maciej Stachowiak
Comment 2 2008-06-05 01:55:45 PDT
Comment on attachment 21506 [details] Proposed patch r=me but I suggest more tests of funny business in the bracket subscript.
Cameron Zwarich (cpst)
Comment 3 2008-06-05 02:21:58 PDT
Landed in r34373.
Note You need to log in before you can comment on or make changes to this bug.