Context Navigation

NodesCodegen.cpp

Timestamp:

Sep 5, 2012, 5:55:46 PM (13 years ago)

Author:

Message:

Bug, assignment within subscript of prefix/postfix increment of bracket access
https://bugs.webkit.org/show_bug.cgi?id=95913

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

javascript:alert((function(){ var a = { x:1 }; var b = { x:1 }; a[a=b,"x"]++; return a.x; })())

(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):

(JSC::BracketAccessorNode::subscriptHasAssignments):
(BracketAccessorNode):

LayoutTests:

Added test cases.

(testPreIncBracketAccessWithAssignSubscript):
(testPostIncBracketAccessWithAssignSubscript):

Tests a pre/post increment to a bracket access, where subscript contains assignment.

File:

-              r127654
+              r127666
     ExpressionNode* subscript = bracketAccessor->subscript();
     RefPtr<RegisterID> base = generator.emitNode(baseNode);
+    RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(baseNode, bracketAccessor->subscriptHasAssignments(), subscript->isPure(generator));
     RefPtr<RegisterID> property = generator.emitNode(subscript);
 …
     ExpressionNode* subscript = bracketAccessor->subscript();
     RefPtr<RegisterID> base = generator.emitNode(baseNode);
+    RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(baseNode, bracketAccessor->subscriptHasAssignments(), subscript->isPure(generator));
     RefPtr<RegisterID> property = generator.emitNode(subscript);
     RefPtr<RegisterID> propDst = generator.tempDestination(dst);

Note: See TracChangeset for help on using the changeset viewer.