Bug 19400 - subscript operator does not protect base when necessary
Summary: subscript operator does not protect base when necessary
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords: HasReduction, Regression
Depends on:
Blocks:
 
Reported: 2008-06-04 21:48 PDT by Oliver Hunt
Modified: 2008-06-05 02:21 PDT (History)
3 users (show)

See Also:


Attachments
Proposed patch (7.11 KB, patch)
2008-06-05 01:50 PDT, Cameron Zwarich (cpst)
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2008-06-04 21:48:33 PDT
in the expression
var  a = [-1];
print(a[++a])

the result should be '0', but instead is 'undefined', as the code emitted does
pre_inc a
get_by_val result, a, a
...

but should actually do
mov temp, a
pre_inc a
get_by_val result, temp, a

The issue is that we don't guard the base against potential modification by the subscript expression
Comment 1 Cameron Zwarich (cpst) 2008-06-05 01:50:17 PDT
Created attachment 21506 [details]
Proposed patch

Here's a fix. It is a slight progression on SunSpider for me, and it doesn't affect very much codegen. I can post the diffs if anyone is interested.
Comment 2 Maciej Stachowiak 2008-06-05 01:55:45 PDT
Comment on attachment 21506 [details]
Proposed patch

r=me but I suggest more tests of funny business in the bracket subscript.
Comment 3 Cameron Zwarich (cpst) 2008-06-05 02:21:58 PDT
Landed in r34373.