From 2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3 Mon Sep 17 00:00:00 2001
From: Filip Pizlo <fpizlo@apple.com>
Date: Thu, 4 Apr 2013 12:17:12 +0200
Subject: Dont use a node reference after appending to the graph.

https://bugs.webkit.org/show_bug.cgi?id=103305
<rdar://problem/12753096>

Reviewed by Mark Hahnenberg.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):

Change-Id: I48ebd652e936ca5781fd6d1bab2df012b2027c34
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139264 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 .../dfg/DFGArgumentsSimplificationPhase.cpp             | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp')

diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index b02e0112c..35c553cf8 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -621,26 +621,27 @@ public:
                 continue;
             for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
                 NodeIndex nodeIndex = block->at(indexInBlock);
-                Node& node = m_graph[nodeIndex];
-                if (node.op() != CreateArguments)
+                Node* nodePtr = &m_graph[nodeIndex];
+                if (nodePtr->op() != CreateArguments)
                     continue;
                 // If this is a CreateArguments for an InlineCallFrame* that does
                 // not create arguments, then replace it with a PhantomArguments.
                 // PhantomArguments is a non-executing node that just indicates
                 // that the node should be reified as an arguments object on OSR
                 // exit.
-                if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
+                if (m_createsArguments.contains(nodePtr->codeOrigin.inlineCallFrame))
                     continue;
-                if (node.shouldGenerate()) {
-                    Node phantom(Phantom, node.codeOrigin);
-                    phantom.children = node.children;
+                if (nodePtr->shouldGenerate()) {
+                    Node phantom(Phantom, nodePtr->codeOrigin);
+                    phantom.children = nodePtr->children;
                     phantom.ref();
                     NodeIndex phantomNodeIndex = m_graph.size();
                     m_graph.append(phantom);
                     insertionSet.append(indexInBlock, phantomNodeIndex);
+                    nodePtr = &m_graph[nodeIndex];
                 }
-                node.setOpAndDefaultFlags(PhantomArguments);
-                node.children.reset();
+                nodePtr->setOpAndDefaultFlags(PhantomArguments);
+                nodePtr->children.reset();
                 changed = true;
             }
             insertionSet.execute(*block);
-- 
cgit v1.2.1