Changeset 34373 in webkit for trunk/JavaScriptCore/kjs


Ignore:
Timestamp:
Jun 5, 2008, 2:19:48 AM (17 years ago)
Author:
[email protected]
Message:

2008-06-05 Cameron Zwarich <[email protected]>

Reviewed by Maciej.

Bug 19400: subscript operator does not protect base when necessary
<https://bugs.webkit.org/show_bug.cgi?id=19400>

Use a temporary for the base in BracketAccessorNode if the subscript
might possibly modify it.

JavaScriptCore:

  • kjs/grammar.y:
  • kjs/nodes.cpp: (KJS::BracketAccessorNode::emitCode):
  • kjs/nodes.h: (KJS::BracketAccessorNode::):

LayoutTests:

  • fast/js/codegen-temporaries-expected.txt:
  • fast/js/resources/codegen-temporaries.js:
Location:
trunk/JavaScriptCore/kjs
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/kjs/grammar.y

    r34355 r34373  
    362362    PrimaryExpr
    363363  | FunctionExpr                        { $$ = createNodeFeatureInfo<ExpressionNode*>($1.m_node, $1.m_featureInfo); }
    364   | MemberExpr '[' Expr ']'             { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node), $1.m_featureInfo | $3.m_featureInfo); }
     364  | MemberExpr '[' Expr ']'             { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node, $3.m_featureInfo & AssignFeature), $1.m_featureInfo | $3.m_featureInfo); }
    365365  | MemberExpr '.' IDENT                { $$ = createNodeFeatureInfo<ExpressionNode*>(new DotAccessorNode($1.m_node, *$3), $1.m_featureInfo); }
    366366  | NEW MemberExpr Arguments            { $$ = createNodeFeatureInfo<ExpressionNode*>(new NewExprNode($2.m_node, $3.m_node), $2.m_featureInfo | $3.m_featureInfo); }
     
    369369MemberExprNoBF:
    370370    PrimaryExprNoBrace
    371   | MemberExprNoBF '[' Expr ']'         { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node), $1.m_featureInfo | $3.m_featureInfo); }
     371  | MemberExprNoBF '[' Expr ']'         { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node, $3.m_featureInfo & AssignFeature), $1.m_featureInfo | $3.m_featureInfo); }
    372372  | MemberExprNoBF '.' IDENT            { $$ = createNodeFeatureInfo<ExpressionNode*>(new DotAccessorNode($1.m_node, *$3), $1.m_featureInfo); }
    373373  | NEW MemberExpr Arguments            { $$ = createNodeFeatureInfo<ExpressionNode*>(new NewExprNode($2.m_node, $3.m_node), $2.m_featureInfo | $3.m_featureInfo); }
     
    387387    MemberExpr Arguments                { $$ = makeFunctionCallNode($1, $2); }
    388388  | CallExpr Arguments                  { $$ = makeFunctionCallNode($1, $2); }
    389   | CallExpr '[' Expr ']'               { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node), $1.m_featureInfo | $3.m_featureInfo); }
     389  | CallExpr '[' Expr ']'               { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node, $3.m_featureInfo & AssignFeature), $1.m_featureInfo | $3.m_featureInfo); }
    390390  | CallExpr '.' IDENT                  { $$ = createNodeFeatureInfo<ExpressionNode*>(new DotAccessorNode($1.m_node, *$3), $1.m_featureInfo); }
    391391;
     
    394394    MemberExprNoBF Arguments            { $$ = makeFunctionCallNode($1, $2); }
    395395  | CallExprNoBF Arguments              { $$ = makeFunctionCallNode($1, $2); }
    396   | CallExprNoBF '[' Expr ']'           { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node), $1.m_featureInfo | $3.m_featureInfo); }
     396  | CallExprNoBF '[' Expr ']'           { $$ = createNodeFeatureInfo<ExpressionNode*>(new BracketAccessorNode($1.m_node, $3.m_node, $3.m_featureInfo & AssignFeature), $1.m_featureInfo | $3.m_featureInfo); }
    397397  | CallExprNoBF '.' IDENT              { $$ = createNodeFeatureInfo<ExpressionNode*>(new DotAccessorNode($1.m_node, *$3), $1.m_featureInfo); }
    398398;

  • trunk/JavaScriptCore/kjs/nodes.cpp

    r34356 r34373  
    410410RegisterID* BracketAccessorNode::emitCode(CodeGenerator& generator, RegisterID* dst)
    411411{
    412     RefPtr<RegisterID> base = generator.emitNode(m_base.get());
     412    RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base.get(), m_subscriptHasAssignments);
    413413    RegisterID* property = generator.emitNode(m_subscript.get());
    414414

  • trunk/JavaScriptCore/kjs/nodes.h

    r34356 r34373  
    528528    class BracketAccessorNode : public ExpressionNode {
    529529    public:
    530         BracketAccessorNode(ExpressionNode* base, ExpressionNode* subscript) KJS_FAST_CALL
     530        BracketAccessorNode(ExpressionNode* base, ExpressionNode* subscript, bool subscriptHasAssignments) KJS_FAST_CALL
    531531            : m_base(base)
    532532            , m_subscript(subscript)
     533            , m_subscriptHasAssignments(subscriptHasAssignments)
    533534        {
    534535        }
     
    547548        RefPtr<ExpressionNode> m_base;
    548549        RefPtr<ExpressionNode> m_subscript;
     550        bool m_subscriptHasAssignments;
    549551    };
    550552
Note: See TracChangeset for help on using the changeset viewer.