Changeset 134682 in webkit

Timestamp:

Nov 14, 2012, 3:34:19 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

Don't access Node& after adding nodes to the graph.
​https://bugs.webkit.org/show_bug.cgi?id=102005

Reviewed by Oliver Hunt.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-11-13  Filip Pizlo  <fpizlo@apple.com>
+
+        Don't access Node& after adding nodes to the graph.
+        https://bugs.webkit.org/show_bug.cgi?id=102005
+
+        Reviewed by Oliver Hunt.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2012-11-14  Valery Ignatyev  <valery.ignatyev@ispras.ru>
 

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -136 +136 @@
             blessArrayOperation(node.child1(), node.child2(), 2);
             
-            ArrayMode arrayMode = node.arrayMode();
+            Node* nodePtr = &m_graph[m_compileIndex];
+            ArrayMode arrayMode = nodePtr->arrayMode();
             if (arrayMode.type() == Array::Double
                 && arrayMode.arrayClass() == Array::OriginalArray
                 && arrayMode.speculation() == Array::InBounds
                 && arrayMode.conversion() == Array::AsIs
-                && m_graph.globalObjectFor(node.codeOrigin)->arrayPrototypeChainIsSane()
-                && !(node.flags() & NodeUsedAsOther))
-                node.setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
+                && m_graph.globalObjectFor(nodePtr->codeOrigin)->arrayPrototypeChainIsSane()
+                && !(nodePtr->flags() & NodeUsedAsOther))
+                nodePtr->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
             
             break;