Changeset 174121 in webkit for trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

Timestamp:

Sep 30, 2014, 2:02:47 PM (11 years ago)

Author:

[email protected]

Message:

REGRESSION (r174025): Invalid cast in JSC::asString
​https://bugs.webkit.org/show_bug.cgi?id=137224

Reviewed by Geoffrey Garen.

Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
when we speak of "the value being stored" we are really referring to the right value.

The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
child3. So we were incorrectly removing all barriers from PutClosureVar.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

File:

• trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -855 +855 @@
         case PutClosureVar: {
             fixEdge<KnownCellUse>(node->child1());
-            insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
+            insertStoreBarrier(m_indexInBlock, node->child1(), node->child3());
             break;
         }