Bug 91270

Summary: a = data[a]++; sets the wrong key in data
Product: WebKit Reporter: Malte Ubl <malte>
Component: JavaScriptCoreAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, barraclough, brendan, fpizlo, ggaren, oliver
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fix oliver: review+

Description Malte Ubl 2012-07-13 12:51:55 PDT 
Hey,

this code has different behavior in JSC from all other engines.

var data = {'test': 0};
var a = 'test';
a = data[a]++;

Data now contains {"test":0,"0":1} instead of  {"test":1}
Comment 1 Alexey Proskuryakov 2012-07-14 00:45:19 PDT 
Where are you seeing this issue? I cannot reproduce in Web Inspector using Safari 5.1.7 or nightly r122160.
Comment 2 Malte Ubl 2012-07-14 09:59:11 PDT 
Ha, apparently jsfiddle adds stuff that is necessary to repro.

This repros for me in the console
var data = {'test': 0};
(function() {
var a = 'test';
a = data[a]++;
})();
data

in both Safari 5.x and 6.x. I don't have a webkit nightly handy.
Comment 3 Alexey Proskuryakov 2012-07-14 10:56:52 PDT 
Thank you, I can reproduce now. CC'ing some JSC engineers.
Comment 4 Geoffrey Garen 2012-07-16 12:30:29 PDT 
<rdar://problem/11882895>
Comment 5 Gavin Barraclough 2012-09-05 18:48:31 PDT 
Created attachment 162391 [details]
Fix
Comment 6 Gavin Barraclough 2012-09-05 19:02:33 PDT 
Fixed in r127676