Currently, FunctionCallBracketNode directly use the RegisterID returned by emitNode. But if the base part is the local register and the subscript part has assignment to it, the base result is accidentally rewritten. function t() { var ok = {null: function () { } }; ok[ok = null](); } t(); // Should not throw error. Seeing the code, we need to use emitNodeForLeftHandSide.
Created attachment 252467 [details] Patch
Created attachment 252481 [details] Patch
Added more tests.
Comment on attachment 252481 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=252481&action=review Added comments to the patch for ease of review. > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:709 > + base = emitSuperBaseForCallee(generator); Since super is not variable (so rewriting super cannot be done) and its return value is always temporary register, in this case, we need not to take care. > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:712 > + base = generator.emitNode(m_base); When the subscript is string, evaluating it has no side effect.
Comment on attachment 252481 [details] Patch r=me
Comment on attachment 252481 [details] Patch Clearing flags on attachment: 252481 Committed r183955: <http://trac.webkit.org/changeset/183955>
All reviewed patches have been landed. Closing bug.