[Webkit-unassigned] [Bug 19400] New: subscript operator does not protect base when necessary
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 4 21:48:33 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=19400
Summary: subscript operator does not protect base when necessary
Product: WebKit
Version: 526+ (Nightly build)
Platform: Macintosh
OS/Version: Mac OS X 10.5
Status: NEW
Keywords: HasReduction, Regression
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: oliver at apple.com
CC: mjs at apple.com, ggaren at apple.com, cwzwarich at uwaterloo.ca
in the expression
var a = [-1];
print(a[++a])
the result should be '0', but instead is 'undefined', as the code emitted does
pre_inc a
get_by_val result, a, a
...
but should actually do
mov temp, a
pre_inc a
get_by_val result, temp, a
The issue is that we don't guard the base against potential modification by the
subscript expression
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list