[Webkit-unassigned] [Bug 170934] New: Computed Properties with increment sometimes produces incorrect results

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 18 00:37:21 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=170934

            Bug ID: 170934
           Summary: Computed Properties with increment sometimes produces
                    incorrect results
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: joepeck at webkit.org
                CC: fpizlo at apple.com, joepeck at webkit.org,
                    keith_miller at apple.com, mark.lam at apple.com,
                    sbarati at apple.com

Summary:
Computed Properties with increment sometimes produces incorrect results

Test:

    let c = 0;
    let o1 = { [++c]: ++c };
    // Should be 1 => 2 and is.

    {
        let x = 0;
        let o2 = { [++x]: ++x };
        // Should be 1 => 2, but is not. Instead it is 2 => 2?!
    }

Notes:

> <global>#EZzSqs:[0x10f3740a0->0x10f37c520, NoneGlobal, 122]: 122 m_instructions; 976 bytes; 1 parameter(s); 12 callee register(s); 5 variable(s); scope at loc3
> [   0] enter             
> [   1] get_scope         loc3
> [   3] mov               loc4, loc3
> [   6] check_traps       
> [   7] mov               loc5, Undefined(const0)
> [  10] resolve_scope     loc6, loc3, c(@id0), <GlobalLexicalVar>, 0, 0x10f3c40a0
> [  17] put_to_scope      loc6, c(@id0), Int32: 0(const1), 1048578<DoNotThrowIfNotFound|GlobalLexicalVar|Initialization>, <structure>, 242782464
> [  24] resolve_scope     loc6, loc3, o1(@id1), <GlobalLexicalVar>, 0, 0x10f3c40a0
> [  31] new_object        loc7, 0
> [  35] resolve_scope     loc8, loc3, c(@id0), <GlobalLexicalVar>, 0, 0x10f3c40a0
> [  42] get_from_scope    loc9, loc8, c(@id0), 2050<ThrowIfNotFound|GlobalLexicalVar|NotInitialization>, 242782464    predicting None
> [  50] inc               loc9
> [  52] put_to_scope      loc8, c(@id0), loc9, 2050<ThrowIfNotFound|GlobalLexicalVar|NotInitialization>, <structure>, 242782464
> [  59] resolve_scope     loc10, loc3, c(@id0), <GlobalLexicalVar>, 0, 0x10f3c40a0
> [  66] get_from_scope    loc11, loc10, c(@id0), 2050<ThrowIfNotFound|GlobalLexicalVar|NotInitialization>, 242782464    predicting None
> [  74] inc               loc11
> [  76] put_to_scope      loc10, c(@id0), loc11, 2050<ThrowIfNotFound|GlobalLexicalVar|NotInitialization>, <structure>, 242782464
> [  83] put_by_val_direct loc7, loc9, loc11    Original
> [  88] put_to_scope      loc6, o1(@id1), loc7, 1048578<DoNotThrowIfNotFound|GlobalLexicalVar|Initialization>, <structure>, 242782472
> [  95] mov               loc6, <JSValue()>(const2)
> [  98] mov               loc7, <JSValue()>(const2)
> [ 101] mov               loc6, Int32: 0(const1)
> [ 104] new_object        loc8, 0
> [ 108] inc               loc6
> [ 110] inc               loc6
> [ 112] put_by_val_direct loc8, loc6, loc6    Original
> [ 117] mov               loc7, loc8
> [ 120] end               loc5

See Object 1's construction [31-88] compared to Object 2's [104-112].

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170418/822e5cb3/attachment-0001.html>


More information about the webkit-unassigned mailing list