Ignore:
Timestamp:
Sep 5, 2012, 5:55:46 PM (13 years ago)
Author:
[email protected]
Message:

Bug, assignment within subscript of prefix/postfix increment of bracket access
https://bugs.webkit.org/show_bug.cgi?id=95913

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

javascript:alert((function(){ var a = { x:1 }; var b = { x:1 }; a[a=b,"x"]++; return a.x; })())

  • bytecompiler/NodesCodegen.cpp:

(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):

  • Should check for assigments in the subscript when loading the base.
  • parser/Nodes.h:

(JSC::BracketAccessorNode::subscriptHasAssignments):
(BracketAccessorNode):

  • Used by emitBracket methods.

LayoutTests:

Added test cases.

  • fast/js/inc-bracket-assign-subscript-expected.txt: Added.
  • fast/js/inc-bracket-assign-subscript.html: Added.
  • fast/js/script-tests/inc-bracket-assign-subscript.js: Added.

(testPreIncBracketAccessWithAssignSubscript):
(testPostIncBracketAccessWithAssignSubscript):

  • Tests a pre/post increment to a bracket access, where subscript contains assignment.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/parser/Nodes.h

    r127654 r127666  
    462462        ExpressionNode* subscript() const { return m_subscript; }
    463463
     464        bool subscriptHasAssignments() const { return m_subscriptHasAssignments; }
     465
    464466    private:
    465467        virtual RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0);
Note: See TracChangeset for help on using the changeset viewer.