Changeset 193606 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

Timestamp:

Dec 6, 2015, 5:54:43 PM (10 years ago)

Author:

[email protected]

Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
​https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
​https://bugs.webkit.org/show_bug.cgi?id=149338
​http://trac.webkit.org/changeset/193584

File:

• trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1811 +1811 @@
         break;
 
+    case LoadArrowFunctionThis:
+        if (JSValue base = forNode(node->child1()).m_value) {
+            JSArrowFunction* function = jsDynamicCast<JSArrowFunction*>(base);
+            setConstant(node, *m_graph.freeze(function->boundThis()));
+            break;
+        }
+        forNode(node).setType(m_graph, SpecFinalObject);
+        break;
+            
     case SkipScope: {
         JSValue child = forNode(node->child1()).value();