Changeset 115657 in webkit for trunk/Source/JavaScriptCore/interpreter

Timestamp:

Apr 30, 2012, 12:20:04 PM (13 years ago)

Author:

[email protected]

Message:

End of Interpreter::tryCacheGetByID can trigger the garbage collector
​https://bugs.webkit.org/show_bug.cgi?id=84927

Patch by Myles Maxfield <​[email protected]> on 2012-04-30
Reviewed by Oliver Hunt.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::tryCacheGetByID):

File:

• trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1866 +1866 @@
 
     
+    StructureChain* prototypeChain = structure->prototypeChain(callFrame);
     switch (slot.cachedPropertyType()) {
     case PropertySlot::Getter:
@@ -1881 +1882 @@
     }
     vPC[4].u.structure.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure);
-    vPC[5].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure->prototypeChain(callFrame));
+    vPC[5].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), prototypeChain);
     vPC[6] = count;
 }