WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
19400
subscript operator does not protect base when necessary
https://bugs.webkit.org/show_bug.cgi?id=19400
Summary
subscript operator does not protect base when necessary
Oliver Hunt
Reported
2008-06-04 21:48:33 PDT
in the expression var a = [-1]; print(a[++a]) the result should be '0', but instead is 'undefined', as the code emitted does pre_inc a get_by_val result, a, a ... but should actually do mov temp, a pre_inc a get_by_val result, temp, a The issue is that we don't guard the base against potential modification by the subscript expression
Attachments
Proposed patch
(7.11 KB, patch)
2008-06-05 01:50 PDT
,
Cameron Zwarich (cpst)
mjs
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1
2008-06-05 01:50:17 PDT
Created
attachment 21506
[details]
Proposed patch Here's a fix. It is a slight progression on SunSpider for me, and it doesn't affect very much codegen. I can post the diffs if anyone is interested.
Maciej Stachowiak
Comment 2
2008-06-05 01:55:45 PDT
Comment on
attachment 21506
[details]
Proposed patch r=me but I suggest more tests of funny business in the bracket subscript.
Cameron Zwarich (cpst)
Comment 3
2008-06-05 02:21:58 PDT
Landed in
r34373
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug