Title: [219111] trunk/Source/_javascript_Core
- Revision
- 219111
- Author
- [email protected]
- Date
- 2017-07-03 18:34:56 -0700 (Mon, 03 Jul 2017)
Log Message
DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
https://bugs.webkit.org/show_bug.cgi?id=174110
Reviewed by Michael Saboff.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (219110 => 219111)
--- trunk/Source/_javascript_Core/ChangeLog 2017-07-04 00:16:37 UTC (rev 219110)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-07-04 01:34:56 UTC (rev 219111)
@@ -1,5 +1,15 @@
2017-07-03 Saam Barati <[email protected]>
+ DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
+ https://bugs.webkit.org/show_bug.cgi?id=174110
+
+ Reviewed by Michael Saboff.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+
+2017-07-03 Saam Barati <[email protected]>
+
Add a new assertion to object allocation sinking phase
https://bugs.webkit.org/show_bug.cgi?id=174107
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (219110 => 219111)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-07-04 00:16:37 UTC (rev 219110)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-07-04 01:34:56 UTC (rev 219111)
@@ -4140,7 +4140,7 @@
Node* op1 = getThis();
if (op1->op() != ToThis) {
Structure* cachedStructure = currentInstruction[2].u.structure.get();
- if (currentInstruction[2].u.toThisStatus != ToThisOK
+ if (currentInstruction[3].u.toThisStatus != ToThisOK
|| !cachedStructure
|| cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
|| m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
