bytecompiler sometimes generates incorrect bytecode for put_by_id https://bugs.webkit.org/show_bug.cgi?id=70403 Patch by Zheng Liu <zheng.z.liu@intel.com> on 2011-10-21 Reviewed by Filip Pizlo. * bytecompiler/NodesCodegen.cpp: (JSC::AssignDotNode::emitBytecode): (JSC::AssignBracketNode::emitBytecode): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@98091 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 4f845d5a82f99378dda7978ec491673f43b9dea3 [log] [tgz]
author: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 21 09:11:26 2011 +0000
committer: commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 21 09:11:26 2011 +0000
tree: 42540a7b179e59153ab8f8b3a7b1d469c69e56f0
parent: 5646307e36b80500fda71b18453fb9c3557758e4 [diff]
diff --git a/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt b/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt
new file mode 100644
index 0000000..028b800
--- /dev/null
+++ b/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp-expected.txt

@@ -0,0 +1,11 @@
+Tests whether bytecode codegen properly handles assignment as righthand expression.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS assign_as_rexp_1() is 'PASS'
+PASS assign_as_rexp_2() is 'PASS'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

diff --git a/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html b/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html
new file mode 100644
index 0000000..6d0133c
--- /dev/null
+++ b/LayoutTests/fast/js/codegen-assign-nontemporary-as-rexp.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/codegen-assign-nontemporary-as-rexp.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>

diff --git a/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js b/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js
new file mode 100644
index 0000000..daa082a
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/codegen-assign-nontemporary-as-rexp.js

@@ -0,0 +1,35 @@
+description(
+'Tests whether bytecode codegen properly handles assignment as righthand expression.'
+);
+
+
+function assign_as_rexp_1() {
+  var obj = {};
+  var victim = 'PASS';
+  obj.__defineSetter__('slot',
+      function(v) {
+          victim = 'FAIL';
+      });
+  var obj2 = {};
+  obj2.forward = (obj['slot'] = victim);
+  return obj2.forward;
+};
+
+shouldBe("assign_as_rexp_1()", "'PASS'");
+
+
+function assign_as_rexp_2() {
+  var obj = {};
+  var victim = 'PASS';
+  obj.__defineSetter__('slot',
+      function(v) {
+          victim = 'FAIL';
+      });
+  var obj2 = {};
+  obj2.forward = (obj.slot = victim);
+  return obj2.forward;
+};
+
+shouldBe("assign_as_rexp_2()", "'PASS'");
+
+var successfullyParsed = true;

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index fce958b..0c3b773 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,14 @@
+2011-10-21  Zheng Liu  <zheng.z.liu@intel.com>
+
+        bytecompiler sometimes generates incorrect bytecode for put_by_id
+        https://bugs.webkit.org/show_bug.cgi?id=70403
+
+        Reviewed by Filip Pizlo.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::AssignDotNode::emitBytecode):
+        (JSC::AssignBracketNode::emitBytecode):
+
 2011-10-20  Filip Pizlo  <fpizlo@apple.com>
 
         DFG should not try to predict argument types by looking at the values of

diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index faeff0b..1fc0bac 100644
--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1216,8 +1216,9 @@
     RefPtr<RegisterID> value = generator.destinationForAssignResult(dst);
     RegisterID* result = generator.emitNode(value.get(), m_right);
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
-    generator.emitPutById(base.get(), m_ident, result);
-    return generator.moveToDestinationIfNeeded(dst, result);
+    RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result : generator.moveToDestinationIfNeeded(generator.tempDestination(result), result);
+    generator.emitPutById(base.get(), m_ident, forwardResult);
+    return generator.moveToDestinationIfNeeded(dst, forwardResult);
 }
 
 // ------------------------------ ReadModifyDotNode -----------------------------------
@@ -1251,8 +1252,9 @@
     RegisterID* result = generator.emitNode(value.get(), m_right);
 
     generator.emitExpressionInfo(divot(), startOffset(), endOffset());
-    generator.emitPutByVal(base.get(), property.get(), result);
-    return generator.moveToDestinationIfNeeded(dst, result);
+    RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result : generator.moveToDestinationIfNeeded(generator.tempDestination(result), result);
+    generator.emitPutByVal(base.get(), property.get(), forwardResult);
+    return generator.moveToDestinationIfNeeded(dst, forwardResult);
 }
 
 // ------------------------------ ReadModifyBracketNode -----------------------------------
commit	4f845d5a82f99378dda7978ec491673f43b9dea3	[log] [tgz]
author	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Oct 21 09:11:26 2011 +0000
committer	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Oct 21 09:11:26 2011 +0000
tree	42540a7b179e59153ab8f8b3a7b1d469c69e56f0
parent	5646307e36b80500fda71b18453fb9c3557758e4 [diff]