Changeset 127676 in webkit for trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

Timestamp:

Sep 5, 2012, 7:02:54 PM (13 years ago)

Author:

[email protected]

Message:

a = data[a]++; sets the wrong key in data
​https://bugs.webkit.org/show_bug.cgi?id=91270

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

Postfix inc/dec is unsafely using finalDestination, can trample base/subscript prior to the result being put.

• bytecompiler/NodesCodegen.cpp:

(JSC::PostfixNode::emitResolve):

• Remove redundant parens.

(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):

• Refactored to use tempDestination instead of finalDestination.

(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):

• Should be using emitPreIncOrDec.

LayoutTests:

Added test cases.

• fast/js/post-inc-assign-overwrites-expected.txt: Added.
• fast/js/post-inc-assign-overwrites.html: Added.
• fast/js/script-tests/post-inc-assign-overwrites.js: Added.

(postIncDotAssignToBase):
(postIncBracketAssignToBase):
(postIncBracketAssignToSubscript):

File:

• trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -629 +629 @@
             oldValue = 0;
             emitPreIncOrDec(generator, value.get(), m_operator);
-        } else {
+        } else
             oldValue = emitPostIncOrDec(generator, generator.finalDestination(dst), value.get(), m_operator);
-        }
         generator.emitPutStaticVar(resolveResult, ident, value.get());
         return oldValue;
@@ -643 +642 @@
         oldValue = 0;
         emitPreIncOrDec(generator, value.get(), m_operator);
-    } else {
+    } else
         oldValue = emitPostIncOrDec(generator, generator.finalDestination(dst), value.get(), m_operator);
-    }
     generator.emitPutById(base.get(), ident, value.get());
     return oldValue;
@@ -662 +660 @@
     generator.emitExpressionInfo(bracketAccessor->divot(), bracketAccessor->startOffset(), bracketAccessor->endOffset());
     RefPtr<RegisterID> value = generator.emitGetByVal(generator.newTemporary(), base.get(), property.get());
-    RegisterID* oldValue;
     if (dst == generator.ignoredResult()) {
-        oldValue = 0;
-        if (m_operator == OpPlusPlus)
-            generator.emitPreInc(value.get());
-        else
-            generator.emitPreDec(value.get());
-    } else {
-        oldValue = (m_operator == OpPlusPlus) ? generator.emitPostInc(generator.finalDestination(dst), value.get()) : generator.emitPostDec(generator.finalDestination(dst), value.get());
-    }
+        emitPreIncOrDec(generator, value.get(), m_operator);
+        generator.emitExpressionInfo(divot(), startOffset(), endOffset());
+        generator.emitPutByVal(base.get(), property.get(), value.get());
+        return 0;
+    }
+    RegisterID* oldValue = emitPostIncOrDec(generator, generator.tempDestination(dst), value.get(), m_operator);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
     generator.emitPutByVal(base.get(), property.get(), value.get());
-    return oldValue;
+    return generator.moveToDestinationIfNeeded(dst, oldValue);
 }
 
@@ -688 +683 @@
     generator.emitExpressionInfo(dotAccessor->divot(), dotAccessor->startOffset(), dotAccessor->endOffset());
     RefPtr<RegisterID> value = generator.emitGetById(generator.newTemporary(), base.get(), ident);
-    RegisterID* oldValue;
     if (dst == generator.ignoredResult()) {
-        oldValue = 0;
-        if (m_operator == OpPlusPlus)
-            generator.emitPreInc(value.get());
-        else
-            generator.emitPreDec(value.get());
-    } else {
-        oldValue = (m_operator == OpPlusPlus) ? generator.emitPostInc(generator.finalDestination(dst), value.get()) : generator.emitPostDec(generator.finalDestination(dst), value.get());
-    }
+        emitPreIncOrDec(generator, value.get(), m_operator);
+        generator.emitExpressionInfo(divot(), startOffset(), endOffset());
+        generator.emitPutById(base.get(), ident, value.get());
+        return 0;
+    }
+    RegisterID* oldValue = emitPostIncOrDec(generator, generator.tempDestination(dst), value.get(), m_operator);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
     generator.emitPutById(base.get(), ident, value.get());
-    return oldValue;
+    return generator.moveToDestinationIfNeeded(dst, oldValue);
 }
 
@@ -855 +847 @@
     generator.emitExpressionInfo(bracketAccessor->divot(), bracketAccessor->startOffset(), bracketAccessor->endOffset());
     RegisterID* value = generator.emitGetByVal(propDst.get(), base.get(), property.get());
-    if (m_operator == OpPlusPlus)
-        generator.emitPreInc(value);
-    else
-        generator.emitPreDec(value);
+    emitPreIncOrDec(generator, value, m_operator);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
     generator.emitPutByVal(base.get(), property.get(), value);
@@ -876 +865 @@
     generator.emitExpressionInfo(dotAccessor->divot(), dotAccessor->startOffset(), dotAccessor->endOffset());
     RegisterID* value = generator.emitGetById(propDst.get(), base.get(), ident);
-    if (m_operator == OpPlusPlus)
-        generator.emitPreInc(value);
-    else
-        generator.emitPreDec(value);
+    emitPreIncOrDec(generator, value, m_operator);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
     generator.emitPutById(base.get(), ident, value);