Ignore:
Timestamp:
Dec 6, 2015, 5:54:43 PM (10 years ago)
Author:
[email protected]
Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
https://bugs.webkit.org/show_bug.cgi?id=149338
http://trac.webkit.org/changeset/193584

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r193584 r193606  
    45084508            NEXT_OPCODE(op_get_scope);
    45094509        }
     4510
     4511        case op_load_arrowfunction_this: {
     4512            Node* callee = get(VirtualRegister(JSStack::Callee));
     4513            Node* result;
     4514            if (JSArrowFunction* function = callee->dynamicCastConstant<JSArrowFunction*>())
     4515                result = jsConstant(function->boundThis());
     4516            else
     4517                result = addToGraph(LoadArrowFunctionThis, callee);
     4518            set(VirtualRegister(currentInstruction[1].u.operand), result);
     4519            NEXT_OPCODE(op_load_arrowfunction_this);
     4520        }
    45104521           
    45114522        case op_create_direct_arguments: {
     
    45574568        }
    45584569
    4559         case op_new_func_exp:
    4560         case op_new_arrow_func_exp: {
     4570        case op_new_func_exp: {
    45614571            FunctionExecutable* expr = m_inlineStackTop->m_profiledBlock->functionExpr(currentInstruction[3].u.operand);
    45624572            FrozenValue* frozen = m_graph.freezeStrong(expr);
    45634573            set(VirtualRegister(currentInstruction[1].u.operand),
    45644574                addToGraph(NewFunction, OpInfo(frozen), get(VirtualRegister(currentInstruction[2].u.operand))));
    4565            
    4566             if (opcodeID == op_new_func_exp) {
    4567                 // Curly braces are necessary
    4568                 NEXT_OPCODE(op_new_func_exp);
    4569             } else {
    4570                 // Curly braces are necessary
    4571                 NEXT_OPCODE(op_new_arrow_func_exp);
    4572             }
     4575            NEXT_OPCODE(op_new_func_exp);
     4576        }
     4577
     4578        case op_new_arrow_func_exp: {
     4579            FunctionExecutable* expr = m_inlineStackTop->m_profiledBlock->functionExpr(currentInstruction[3].u.operand);
     4580            FrozenValue* frozen = m_graph.freezeStrong(expr);
     4581
     4582            set(VirtualRegister(currentInstruction[1].u.operand),
     4583                addToGraph(NewArrowFunction, OpInfo(frozen),
     4584                    get(VirtualRegister(currentInstruction[2].u.operand)),
     4585                    get(VirtualRegister(currentInstruction[4].u.operand))));
     4586           
     4587            NEXT_OPCODE(op_new_arrow_func_exp);
    45734588        }
    45744589
Note: See TracChangeset for help on using the changeset viewer.