[webkit-changes] [134682] trunk/Source/JavaScriptCore

[fpizlo]

Title: [134682] trunk/Source/_javascript_Core

Revision

134682

Author

fpi...@apple.com

Date

2012-11-14 15:34:19 -0800 (Wed, 14 Nov 2012)

Log Message

Don't access Node& after adding nodes to the graph.
https://bugs.webkit.org/show_bug.cgi?id=102005

Reviewed by Oliver Hunt.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (134681 => 134682)

--- trunk/Source/_javascript_Core/ChangeLog	2012-11-14 23:29:37 UTC (rev 134681)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-11-14 23:34:19 UTC (rev 134682)
@@ -1,3 +1,13 @@
+2012-11-13  Filip Pizlo  <fpi...@apple.com>
+
+        Don't access Node& after adding nodes to the graph.
+        https://bugs.webkit.org/show_bug.cgi?id=102005
+
+        Reviewed by Oliver Hunt.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2012-11-14  Valery Ignatyev  <valery.ignat...@ispras.ru>
 
         Replace (typeof(x) != <"object", "undefined", ...>) with

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (134681 => 134682)

--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2012-11-14 23:29:37 UTC (rev 134681)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2012-11-14 23:34:19 UTC (rev 134682)
@@ -135,14 +135,15 @@
             
             blessArrayOperation(node.child1(), node.child2(), 2);
             
-            ArrayMode arrayMode = node.arrayMode();
+            Node* nodePtr = &m_graph[m_compileIndex];
+            ArrayMode arrayMode = nodePtr->arrayMode();
             if (arrayMode.type() == Array::Double
                 && arrayMode.arrayClass() == Array::OriginalArray
                 && arrayMode.speculation() == Array::InBounds
                 && arrayMode.conversion() == Array::AsIs
-                && m_graph.globalObjectFor(node.codeOrigin)->arrayPrototypeChainIsSane()
-                && !(node.flags() & NodeUsedAsOther))
-                node.setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
+                && m_graph.globalObjectFor(nodePtr->codeOrigin)->arrayPrototypeChainIsSane()
+                && !(nodePtr->flags() & NodeUsedAsOther))
+                nodePtr->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
             
             break;
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes