[webkit-changes] [139264] trunk/Source/JavaScriptCore

[fpizlo]

Title: [139264] trunk/Source/_javascript_Core

Revision

139264

Author

fpi...@apple.com

Date

2013-01-09 17:59:38 -0800 (Wed, 09 Jan 2013)

Log Message

Dont use a node reference after appending to the graph.
https://bugs.webkit.org/show_bug.cgi?id=103305
<rdar://problem/12753096>

Reviewed by Mark Hahnenberg.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (139263 => 139264)

--- trunk/Source/_javascript_Core/ChangeLog	2013-01-10 01:56:23 UTC (rev 139263)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-01-10 01:59:38 UTC (rev 139264)
@@ -1,3 +1,14 @@
+2013-01-09  Filip Pizlo  <fpi...@apple.com>
+
+        Dont use a node reference after appending to the graph.
+        https://bugs.webkit.org/show_bug.cgi?id=103305
+        <rdar://problem/12753096>
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+
 2013-01-09  Roger Fong  <roger_f...@apple.com>
 
         Rename export files to make them more easily findable.

Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp (139263 => 139264)

--- trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp	2013-01-10 01:56:23 UTC (rev 139263)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp	2013-01-10 01:59:38 UTC (rev 139264)
@@ -622,26 +622,27 @@
                 continue;
             for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
                 NodeIndex nodeIndex = block->at(indexInBlock);
-                Node& node = m_graph[nodeIndex];
-                if (node.op() != CreateArguments)
+                Node* nodePtr = &m_graph[nodeIndex];
+                if (nodePtr->op() != CreateArguments)
                     continue;
                 // If this is a CreateArguments for an InlineCallFrame* that does
                 // not create arguments, then replace it with a PhantomArguments.
                 // PhantomArguments is a non-executing node that just indicates
                 // that the node should be reified as an arguments object on OSR
                 // exit.
-                if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
+                if (m_createsArguments.contains(nodePtr->codeOrigin.inlineCallFrame))
                     continue;
-                if (node.shouldGenerate()) {
-                    Node phantom(Phantom, node.codeOrigin);
-                    phantom.children = node.children;
+                if (nodePtr->shouldGenerate()) {
+                    Node phantom(Phantom, nodePtr->codeOrigin);
+                    phantom.children = nodePtr->children;
                     phantom.ref();
                     NodeIndex phantomNodeIndex = m_graph.size();
                     m_graph.append(phantom);
                     insertionSet.append(indexInBlock, phantomNodeIndex);
+                    nodePtr = &m_graph[nodeIndex];
                 }
-                node.setOpAndDefaultFlags(PhantomArguments);
-                node.children.reset();
+                nodePtr->setOpAndDefaultFlags(PhantomArguments);
+                nodePtr->children.reset();
                 changed = true;
             }
             insertionSet.execute(*block);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes