commit dfd928008c2f200052a55e3dcb7226ca37c4f5f5
author fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jun 12 21:15:43 2012 +0000
committer fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jun 12 21:15:43 2012 +0000
tree 1451428763268afb28c8b52fc1ff64b559eadfe8
parent 347dbafe793d4bafa402e7e3e680a3a5b3a5dc44

REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
https://bugs.webkit.org/show_bug.cgi?id=88783
<rdar://problem/11640299>

Source/JavaScriptCore: 

Reviewed by Geoffrey Garen.
        
If you don't keep alive the base of an object access over the various checks
you do for the prototype chain, you're going to have a bad time.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):

LayoutTests: 

Reviewed by Geoffrey Garen.

* fast/js/dfg-proto-access-inline-osr-exit-expected.txt: Added.
* fast/js/dfg-proto-access-inline-osr-exit.html: Added.
* fast/js/script-tests/dfg-proto-access-inline-osr-exit.js: Added.
(foo):
(Thingy):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120121 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 92c16d9..28bd08e 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2012-06-12  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
+        https://bugs.webkit.org/show_bug.cgi?id=88783
+        <rdar://problem/11640299>
+
+        Reviewed by Geoffrey Garen.
+        
+        If you don't keep alive the base of an object access over the various checks
+        you do for the prototype chain, you're going to have a bad time.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleGetById):
+
 2012-06-12  Hojong Han  <hojong.han@samsung.com>
 
         Property names of the built-in object cannot be retrieved