Dont use a node reference after appending to the graph.

https://bugs.webkit.org/show_bug.cgi?id=103305 <rdar://problem/12753096> Reviewed by Mark Hahnenberg. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): Change-Id: I48ebd652e936ca5781fd6d1bab2df012b2027c34 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139264 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
author: Filip Pizlo <fpizlo@apple.com> 2013-04-04 12:17:12 +0200
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-04-04 14:32:33 +0200
commit: 2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3 (patch)
tree: f176e14d4627af8f0a35f5b1b209f07fb6b7bc85 /Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
parent: e0892c4f8d16204aa21b9915b457ab23ae1df37c (diff)
download: qtwebkit-2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3.tar.gz
1 files changed, 9 insertions, 8 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index b02e0112c..35c553cf8 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -621,26 +621,27 @@ public:
                 continue;
             for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
                 NodeIndex nodeIndex = block->at(indexInBlock);
-                Node& node = m_graph[nodeIndex];
-                if (node.op() != CreateArguments)
+                Node* nodePtr = &m_graph[nodeIndex];
+                if (nodePtr->op() != CreateArguments)
                     continue;
                 // If this is a CreateArguments for an InlineCallFrame* that does
                 // not create arguments, then replace it with a PhantomArguments.
                 // PhantomArguments is a non-executing node that just indicates
                 // that the node should be reified as an arguments object on OSR
                 // exit.
-                if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
+                if (m_createsArguments.contains(nodePtr->codeOrigin.inlineCallFrame))
                     continue;
-                if (node.shouldGenerate()) {
-                    Node phantom(Phantom, node.codeOrigin);
-                    phantom.children = node.children;
+                if (nodePtr->shouldGenerate()) {
+                    Node phantom(Phantom, nodePtr->codeOrigin);
+                    phantom.children = nodePtr->children;
                     phantom.ref();
                     NodeIndex phantomNodeIndex = m_graph.size();
                     m_graph.append(phantom);
                     insertionSet.append(indexInBlock, phantomNodeIndex);
+                    nodePtr = &m_graph[nodeIndex];
                 }
-                node.setOpAndDefaultFlags(PhantomArguments);
-                node.children.reset();
+                nodePtr->setOpAndDefaultFlags(PhantomArguments);
+                nodePtr->children.reset();
                 changed = true;
             }
             insertionSet.execute(*block);
author	Filip Pizlo <fpizlo@apple.com>	2013-04-04 12:17:12 +0200
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-04-04 14:32:33 +0200
commit	2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3 (patch)
tree	f176e14d4627af8f0a35f5b1b209f07fb6b7bc85 /Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
parent	e0892c4f8d16204aa21b9915b457ab23ae1df37c (diff)
download	qtwebkit-2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3.tar.gz