RESOLVED FIXED 95815
inc/dec behave incorrectly operating on a resolved const 
https://bugs.webkit.org/show_bug.cgi?id=95815
Summary inc/dec behave incorrectly operating on a resolved const
Gavin Barraclough
Reported 2012-09-04 19:14:31 PDT
There are two bugs here. (1) When the value being incremented is const, and the result is ignored, we assume this cannot be observed, and emit no code. However if the value being incremented is not a primitive & has a valueOf conversion, then this should be being called. (2) In the case of a pre-increment of a const value where the result is not ignored, we'll move +/-1 to the destination, then add the resolved const value being incremented to this. This is problematic if the destination is a local, and the const value being incremented has a valueOf conversion that throws - the destination will be modified erroneously. Instead, we need to use a temporary location.
Attachments
Fix (7.04 KB, patch)
2012-09-04 19:21 PDT, Gavin Barraclough 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2012-09-04 19:21:03 PDT
Created attachment 162148 [details] Fix
Geoffrey Garen
Comment 2 2012-09-04 19:33:08 PDT
Comment on attachment 162148 [details] Fix r=me
Gavin Barraclough
Comment 3 2012-09-05 00:20:06 PDT
Fixed in r127544
Note You need to log in before you can comment on or make changes to this bug.