[webkit-changes] [WebKit/WebKit] 9b945b: [JSC] Bracket update expression should resolve pro...
Ross Kirsling
noreply at github.com
Thu Feb 29 18:19:30 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9b945bdd8d46d2755cb115acb4596b3ed14d97eb
https://github.com/WebKit/WebKit/commit/9b945bdd8d46d2755cb115acb4596b3ed14d97eb
Author: Ross Kirsling <ross.kirsling at sony.com>
Date: 2024-02-29 (Thu, 29 Feb 2024)
Changed paths:
M JSTests/test262/expectations.yaml
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Log Message:
-----------
[JSC] Bracket update expression should resolve property key at most once
https://bugs.webkit.org/show_bug.cgi?id=270150
Reviewed by Justin Michaud.
Currently, in an expression like `obj[prop]++`, we double-evaluate `prop`, as GetByVal and PutByVal
each perform ToPropertyKey separately. To correct this, we need to perform ToPropertyKey in advance,
but only after ensuring that `obj` is object-coercible; if it isn't, we shouldn't perform ToPropertyKey at all.
This extra work can be bypassed for literal numbers and strings;
as a drive-by fix, this patch corrects a case which was intending to perform a similar bypass,
but which mixed up || and &&, thereby ending up with a constant true.
* JSTests/test262/expectations.yaml: Mark 8 test cases as passing.
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):
(JSC::ObjectPatternNode::bindValue const):
Canonical link: https://commits.webkit.org/275531@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list