[webkit-changes] [98091] trunk

Fri, 21 Oct 2011 02:10:27 -0700

Title: [98091] trunk
Revision
98091
Author
commit-qu...@webkit.org
Date
2011-10-21 02:11:26 -0700 (Fri, 21 Oct 2011)

Log Message

bytecompiler sometimes generates incorrect bytecode for put_by_id
https://bugs.webkit.org/show_bug.cgi?id=70403

Patch by Zheng Liu <zheng.z....@intel.com> on 2011-10-21
Reviewed by Filip Pizlo.

* bytecompiler/NodesCodegen.cpp:
(JSC::AssignDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):

Modified Paths

Added Paths

Diff

Added: trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt (0 => 98091)


--- trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt	2011-10-21 09:11:26 UTC (rev 98091)
@@ -0,0 +1,11 @@
+Tests whether bytecode codegen properly handles assignment as righthand _expression_.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS assign_as_rexp_1() is 'PASS'
+PASS assign_as_rexp_2() is 'PASS'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html (0 => 98091)


--- trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html	2011-10-21 09:11:26 UTC (rev 98091)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js (0 => 98091)


--- trunk/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js	2011-10-21 09:11:26 UTC (rev 98091)
@@ -0,0 +1,35 @@
+description(
+'Tests whether bytecode codegen properly handles assignment as righthand _expression_.'
+);
+
+
+function assign_as_rexp_1() {
+  var obj = {};
+  var victim = 'PASS';
+  obj.__defineSetter__('slot',
+      function(v) {
+          victim = 'FAIL';
+      });
+  var obj2 = {};
+  obj2.forward = (obj['slot'] = victim);
+  return obj2.forward;
+};
+
+shouldBe("assign_as_rexp_1()", "'PASS'");
+
+
+function assign_as_rexp_2() {
+  var obj = {};
+  var victim = 'PASS';
+  obj.__defineSetter__('slot',
+      function(v) {
+          victim = 'FAIL';
+      });
+  var obj2 = {};
+  obj2.forward = (obj.slot = victim);
+  return obj2.forward;
+};
+
+shouldBe("assign_as_rexp_2()", "'PASS'");
+
+var successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (98090 => 98091)


--- trunk/Source/_javascript_Core/ChangeLog	2011-10-21 09:08:48 UTC (rev 98090)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-21 09:11:26 UTC (rev 98091)
@@ -1,3 +1,14 @@
+2011-10-21  Zheng Liu  <zheng.z....@intel.com>
+
+        bytecompiler sometimes generates incorrect bytecode for put_by_id
+        https://bugs.webkit.org/show_bug.cgi?id=70403
+
+        Reviewed by Filip Pizlo.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::AssignDotNode::emitBytecode):
+        (JSC::AssignBracketNode::emitBytecode):
+
 2011-10-20  Filip Pizlo  <fpi...@apple.com>
 
         DFG should not try to predict argument types by looking at the values of

Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (98090 => 98091)


--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2011-10-21 09:08:48 UTC (rev 98090)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp	2011-10-21 09:11:26 UTC (rev 98091)
@@ -1216,8 +1216,9 @@
     RefPtr<RegisterID> value = generator.destinationForAssignResult(dst);
     RegisterID* result = generator.emitNode(value.get(), m_right);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
-    generator.emitPutById(base.get(), m_ident, result);
-    return generator.moveToDestinationIfNeeded(dst, result);
+    RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result : generator.moveToDestinationIfNeeded(generator.tempDestination(result), result);
+    generator.emitPutById(base.get(), m_ident, forwardResult);
+    return generator.moveToDestinationIfNeeded(dst, forwardResult);
 }
 
 // ------------------------------ ReadModifyDotNode -----------------------------------
@@ -1251,8 +1252,9 @@
     RegisterID* result = generator.emitNode(value.get(), m_right);
 
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
-    generator.emitPutByVal(base.get(), property.get(), result);
-    return generator.moveToDestinationIfNeeded(dst, result);
+    RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result : generator.moveToDestinationIfNeeded(generator.tempDestination(result), result);
+    generator.emitPutByVal(base.get(), property.get(), forwardResult);
+    return generator.moveToDestinationIfNeeded(dst, forwardResult);
 }
 
 // ------------------------------ ReadModifyBracketNode -----------------------------------

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to