Changeset 251371 in webkit for trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

Timestamp:

Oct 21, 2019, 12:06:48 PM (6 years ago)

Author:

[email protected]

Message:

Post increment/decrement should only call ToNumber once
​https://bugs.webkit.org/show_bug.cgi?id=202711

Reviewed by Saam Barati.

JSTests:

• stress/postinc-custom-valueOf.js: Added.

(postInc):
(postDec):

Source/JavaScriptCore:

The problem is that we first called ToNumber on the object being incremented (to have the result that we'll eventually return), but we then do emitIncOrDec on the original object, which can call ToNumber again.
Instead we must do the ToNumber once, then copy its result, emitIncOrDec on the copy, put the copy back in the original location, and finally return the old value.
Since the result of ToNumber is guaranteed not to be an object, emitIncOrDec won't call ToNumber a second time.

• bytecompiler/NodesCodegen.cpp:

(JSC::emitPostIncOrDec):

File:

• trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1785 +1785 @@
     if (dst == srcDst)
         return generator.emitToNumber(generator.finalDestination(dst), srcDst);
-    RefPtr<RegisterID> tmp = generator.emitToNumber(generator.tempDestination(dst), srcDst);
-    emitIncOrDec(generator, srcDst, oper);
+    RefPtr<RegisterID> tmp = generator.emitToNumber(generator.newTemporary(), srcDst);
+    RefPtr<RegisterID> result = generator.tempDestination(srcDst);
+    generator.move(result.get(), tmp.get());
+    emitIncOrDec(generator, result.get(), oper);
+    generator.move(srcDst, result.get());
     return generator.move(dst, tmp.get());
 }