Bug 19400

Summary: subscript operator does not protect base when necessary
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, mjs, zwarich
Priority: P2 Keywords: HasReduction, Regression
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Proposed patch mjs: review+

Description Oliver Hunt 2008-06-04 21:48:33 PDT 
in the expression
var  a = [-1];
print(a[++a])

the result should be '0', but instead is 'undefined', as the code emitted does
pre_inc a
get_by_val result, a, a
...

but should actually do
mov temp, a
pre_inc a
get_by_val result, temp, a

The issue is that we don't guard the base against potential modification by the subscript expression
Comment 1 Cameron Zwarich (cpst) 2008-06-05 01:50:17 PDT 
Created attachment 21506 [details]
Proposed patch

Here's a fix. It is a slight progression on SunSpider for me, and it doesn't affect very much codegen. I can post the diffs if anyone is interested.
Comment 2 Maciej Stachowiak 2008-06-05 01:55:45 PDT 
Comment on attachment 21506 [details]
Proposed patch

r=me but I suggest more tests of funny business in the bracket subscript.
Comment 3 Cameron Zwarich (cpst) 2008-06-05 02:21:58 PDT 
Landed in r34373.