[Webkit-unassigned] [Bug 95815] New: inc/dec behave incorrectly operating on a resolved const
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 4 19:14:18 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=95815
Summary: inc/dec behave incorrectly operating on a resolved
const
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
There are two bugs here.
(1) When the value being incremented is const, and the result is ignored, we assume this cannot be observed, and emit no code. However if the value being incremented is not a primitive & has a valueOf conversion, then this should be being called.
(2) In the case of a pre-increment of a const value where the result is not ignored, we'll move +/-1 to the destination, then add the resolved const value being incremented to this. This is problematic if the destination is a local, and the const value being incremented has a valueOf conversion that throws - the destination will be modified erroneously. Instead, we need to use a temporary location.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list