Changeset 193606 in webkit for trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

Timestamp:

Dec 6, 2015, 5:54:43 PM (10 years ago)

Author:

[email protected]

Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
​https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
​https://bugs.webkit.org/show_bug.cgi?id=149338
​http://trac.webkit.org/changeset/193584

File:

• trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

@@ -165 +165 @@
         FunctionExecutable* executable = nullptr;
         JSScope* activation = nullptr;
+        JSValue boundThis;
+        bool isArrowFunction = false;
         for (unsigned i = materialization->properties().size(); i--;) {
             const ExitPropertyValue& property = materialization->properties()[i];
@@ -171 +173 @@
             if (property.location() == PromotedLocationDescriptor(FunctionActivationPLoc))
                 activation = jsCast<JSScope*>(JSValue::decode(values[i]));
+            if (property.location() == PromotedLocationDescriptor(ArrowFunctionBoundThisPLoc)) {
+                isArrowFunction = true;
+                boundThis = JSValue::decode(values[i]);
+            }
         }
         RELEASE_ASSERT(executable && activation);
 
         
-        JSFunction* result = JSFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation);
+        JSFunction* result = isArrowFunction
+            ? JSArrowFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation, boundThis)
+            : JSFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation);
 
         return result;