RESOLVED FIXED 19400
subscript operator does not protect base when necessary 
https://bugs.webkit.org/show_bug.cgi?id=19400
Summary subscript operator does not protect base when necessary
Oliver Hunt
Reported 2008-06-04 21:48:33 PDT
in the expression var a = [-1]; print(a[++a]) the result should be '0', but instead is 'undefined', as the code emitted does pre_inc a get_by_val result, a, a ... but should actually do mov temp, a pre_inc a get_by_val result, temp, a The issue is that we don't guard the base against potential modification by the subscript expression
Attachments
Proposed patch (7.11 KB, patch)
2008-06-05 01:50 PDT, Cameron Zwarich (cpst) 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-06-05 01:50:17 PDT
Created attachment 21506 [details] Proposed patch Here's a fix. It is a slight progression on SunSpider for me, and it doesn't affect very much codegen. I can post the diffs if anyone is interested.
Maciej Stachowiak
Comment 2 2008-06-05 01:55:45 PDT
Comment on attachment 21506 [details] Proposed patch r=me but I suggest more tests of funny business in the bracket subscript.
Cameron Zwarich (cpst)
Comment 3 2008-06-05 02:21:58 PDT
Landed in r34373.
Note You need to log in before you can comment on or make changes to this bug.