commit f999d22b2b45209347d3d92de0327000e8dc927b
author fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Nov 14 23:34:19 2012 +0000
committer fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Nov 14 23:34:19 2012 +0000
tree 4fa3d478313ed2acd5276c51dc8fbe54e0f458b5
parent 8ebb8c1a8ac3113b982811c75277bbd2ce49a467

Don't access Node& after adding nodes to the graph.
https://bugs.webkit.org/show_bug.cgi?id=102005

Reviewed by Oliver Hunt.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@134682 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 5410a81..7d38ab2 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -135,14 +135,15 @@
             
             blessArrayOperation(node.child1(), node.child2(), 2);
             
-            ArrayMode arrayMode = node.arrayMode();
+            Node* nodePtr = &m_graph[m_compileIndex];
+            ArrayMode arrayMode = nodePtr->arrayMode();
             if (arrayMode.type() == Array::Double
                 && arrayMode.arrayClass() == Array::OriginalArray
                 && arrayMode.speculation() == Array::InBounds
                 && arrayMode.conversion() == Array::AsIs
-                && m_graph.globalObjectFor(node.codeOrigin)->arrayPrototypeChainIsSane()
-                && !(node.flags() & NodeUsedAsOther))
-                node.setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
+                && m_graph.globalObjectFor(nodePtr->codeOrigin)->arrayPrototypeChainIsSane()
+                && !(nodePtr->flags() & NodeUsedAsOther))
+                nodePtr->setArrayMode(arrayMode.withSpeculation(Array::SaneChain));
             
             break;
         }