Changeset 193606 in webkit for trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

Timestamp:

Dec 6, 2015, 5:54:43 PM (10 years ago)

Author:

[email protected]

Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
​https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
​https://bugs.webkit.org/show_bug.cgi?id=149338
​http://trac.webkit.org/changeset/193584

File:

• trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1080 +1080 @@
 {
     LLINT_BEGIN();
-    
+
+    JSValue thisValue = LLINT_OP_C(4).jsValue();
     CodeBlock* codeBlock = exec->codeBlock();
     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
     
-    LLINT_RETURN(JSFunction::create(vm, executable, scope));
+    LLINT_RETURN(JSArrowFunction::create(vm, executable, scope, thisValue));
 }