Bug 91270

Summary:

a = data[a]++; sets the wrong key in data

Product:

WebKit

Reporter:

Malte Ubl <malte>

Component:

JavaScriptCore

Assignee:

Gavin Barraclough <barraclough>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, barraclough, brendan, fpizlo, ggaren, oliver

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Fix	oliver: review+

Malte Ubl

Reported 2012-07-13 12:51:55 PDT

Hey, this code has different behavior in JSC from all other engines. var data = {'test': 0}; var a = 'test'; a = data[a]++; Data now contains {"test":0,"0":1} instead of {"test":1}

Attachments
Fix (9.29 KB, patch) 2012-09-05 18:48 PDT, Gavin Barraclough	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2012-07-14 00:45:19 PDT

Where are you seeing this issue? I cannot reproduce in Web Inspector using Safari 5.1.7 or nightly r122160.

Malte Ubl

Comment 2 2012-07-14 09:59:11 PDT

Ha, apparently jsfiddle adds stuff that is necessary to repro. This repros for me in the console var data = {'test': 0}; (function() { var a = 'test'; a = data[a]++; })(); data in both Safari 5.x and 6.x. I don't have a webkit nightly handy.

Alexey Proskuryakov

Comment 3 2012-07-14 10:56:52 PDT

Thank you, I can reproduce now. CC'ing some JSC engineers.

Geoffrey Garen

Comment 4 2012-07-16 12:30:29 PDT

<rdar://problem/11882895>

Gavin Barraclough

Comment 5 2012-09-05 18:48:31 PDT

Created attachment 162391 [details] Fix

Gavin Barraclough

Comment 6 2012-09-05 19:02:33 PDT

Fixed in r127676

Note You need to log in before you can comment on or make changes to this bug.