Bug 246787

Summary: JavaScript execution result different when disable/enable breakpoints
Product: WebKit Reporter: white <jinhao.zhang>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Critical CC: hi, manjian2006, mark.lam, pangle, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari 15   
Hardware: Mac (Apple Silicon)   
OS: macOS 12   

Description white 2022-10-19 20:54:57 PDT 
for this code snippet below:

(function (){
    var car2 = { color: 0 }
    var temp2 = car2;
    car2 = (car2.color += 1);
    console.log("car2's color:" + temp2.color);
})();

the print result is different whether breakpoints are enabled or not.

Expected result:
    console prints "car2's color:1" whether breakpoints are enabled or not.

Actual result:
    console prints "car2's color:1" whether breakpoints are enabled
    console prints "car2's color:0" whether breakpoints are disable

Steps to reproduce:
1. open https://google.com in safari
2. opt + cmd + I to show Web Inspector
3. In Console tab, input the code above.
4. In Sources tab, toggle "Enable app breakpoints" button
5. try the code again
Comment 1 white 2022-10-25 21:22:12 PDT 
typos:


    console prints "car2's color:1" whether breakpoints are enabled
    console prints "car2's color:0" whether breakpoints are disable

=>

    console prints "car2's color:1" when breakpoints are enabled
    console prints "car2's color:0" when breakpoints are disable

---------------

4. In Sources tab, toggle "Enable app breakpoints" button

=>

4. In Sources tab, toggle "Enable all breakpoints" button
Comment 2 Radar WebKit Bug Importer 2022-10-26 20:55:19 PDT 
<rdar://problem/101617598>
Comment 3 linzj 2022-11-16 17:43:53 PST 
Here is my fix:
diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index f6293c4c0260..4185b48b6adc 100644
--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
@@ -3658,6 +3658,10 @@ RegisterID* AssignDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID
 RegisterID* ReadModifyDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {
     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_rightHasAssignments, m_right->isPure(generator));
+    if (base.get() == dst) {
+      RefPtr<RegisterID> tmp = generator.newTemporary();
+      base = generator.move(tmp.get(), base.get());
+    }
 
     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
     RefPtr<RegisterID> thisValue;
diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake


But I think there are other ReadModifyNodes need this fix.