Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d55d921dd45a79ee02ed349c9b17c57d32fa74e1
https://github.com/WebKit/WebKit/commit/d55d921dd45a79ee02ed349c9b17c57d32fa74e1
Author: Sosuke Suzuki <[email protected]>
Date: 2026-04-11 (Sat, 11 Apr 2026)
Changed paths:
A JSTests/stress/short-circuit-assignment-readonly-local.js
M JSTests/test262/expectations.yaml
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Log Message:
-----------
[JSC] Short-circuit assignment should not overwrite read-only locals
https://bugs.webkit.org/show_bug.cgi?id=311734
Reviewed by Yusuke Suzuki.
For `a &&= b` (and `||=`, `??=`) where `a` is a read-only local binding
(a const, or a function expression's own name), the bytecode generator
evaluated the right-hand side directly into `a`'s register before
emitting the read-only error. The overwritten value became observable
when the TypeError was caught, or in sloppy mode for function-name
bindings where assignment is silently ignored and no error is thrown.
Test: JSTests/stress/short-circuit-assignment-readonly-local.js
* JSTests/stress/short-circuit-assignment-readonly-local.js: Added.
(shouldBe):
(shouldThrow):
(testConstAnd):
(testConstOr):
(testConstCoalesce):
(let.f):
(let.g):
* JSTests/test262/expectations.yaml:
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
Canonical link: https://commits.webkit.org/311025@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
