Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
https://bugs.webkit.org/show_bug.cgi?id=160870
Reviewed by Darin Adler.
Credit goes to Jonathan Bedard for finding this bug using the undefined
behavior sanitizer.
The rule for MaterializeNewObject inside AI was assuming that the graph
is in SSA form. This used to be true when MaterializeNewObject was only
inserted by the allocation sinking phase. However, Filip added more uses
of MaterializeNewObject in his RegExp constant folding patch. This fixes
the bug by using the structure set inside the Node's OpInfo rather than
generating it from m_phiChildren inside AI.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@205522 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 4df5aab..a435183 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -1965,15 +1965,7 @@
break;
case MaterializeNewObject: {
- StructureSet set;
-
- m_phiChildren->forAllTransitiveIncomingValues(
- m_graph.varArgChild(node, 0).node(),
- [&] (Node* incoming) {
- set.add(incoming->castConstant<Structure*>());
- });
-
- forNode(node).set(m_graph, set);
+ forNode(node).set(m_graph, node->structureSet());
break;
}
