[Webkit-unassigned] [Bug 246787] JavaScript execution result different when disable/enable breakpoints

Wed Nov 16 17:43:53 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=246787

linzj <manjian2006 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |manjian2006 at gmail.com

--- Comment #3 from linzj <manjian2006 at gmail.com> ---
Here is my fix:

diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index f6293c4c0260..4185b48b6adc 100644
--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
@@ -3658,6 +3658,10 @@ RegisterID* AssignDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID
 RegisterID* ReadModifyDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {
     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_rightHasAssignments, m_right->isPure(generator));
+    if (base.get() == dst) {
+      RefPtr<RegisterID> tmp = generator.newTemporary();
+      base = generator.move(tmp.get(), base.get());
+    }

     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
     RefPtr<RegisterID> thisValue;
diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake


But I think there are other ReadModifyNodes need this fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221117/f902b374/attachment.htm>
