Changeset 193606 in webkit for trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

Timestamp:

Dec 6, 2015, 5:54:43 PM (10 years ago)

Author:

[email protected]

Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
​https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
​https://bugs.webkit.org/show_bug.cgi?id=149338
​http://trac.webkit.org/changeset/193584

File:

• trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -4843 +4843 @@
     cellResult(result.gpr(), node);
 }
+
+    
+void SpeculativeJIT::compileLoadArrowFunctionThis(Node* node)
+{
+    SpeculateCellOperand function(this, node->child1());
+    GPRTemporary result(this, Reuse, function);
+    m_jit.loadPtr(JITCompiler::Address(function.gpr(), JSArrowFunction::offsetOfThisValue()), result.gpr());
+    cellResult(result.gpr(), node);
+}
     
 void SpeculativeJIT::compileSkipScope(Node* node)