LazyNode comparison can return incorrect results when comparing an empty value
https://bugs.webkit.org/show_bug.cgi?id=145421
Reviewed by Geoffrey Garen.
When comparing a LazyNode to another, we compare the value pointers if
we have one, and otherwise compare the nodes.
We should be comparing value pointers if the other LazyNode has one as
well, otherwise we risk an incoherency when we are a empty LazyNode
being compared to a FrozenValue without node.
Note that this is not a problem in any other case because if we don't
have a FrozenValue and we are not an empty LazyNode, we are a
non-constant node, and comparing the node pointers is correct.
* dfg/DFGLazyNode.h:
(JSC::DFG::LazyNode::operator==):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@184927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGLazyNode.h b/Source/JavaScriptCore/dfg/DFGLazyNode.h
index 12571f7..cc7102b 100644
--- a/Source/JavaScriptCore/dfg/DFGLazyNode.h
+++ b/Source/JavaScriptCore/dfg/DFGLazyNode.h
@@ -34,8 +34,6 @@
namespace JSC { namespace DFG {
-
-
class LazyNode {
public:
static const size_t jsConstantTag = 0;
@@ -119,7 +117,7 @@
bool operator==(const LazyNode& other) const
{
- if (asValue())
+ if (asValue() || other.asValue())
return m_value == other.m_value;
return m_node == other.m_node;
}
