Bug 160228 - [JSC] Fix a bunch of use-after-free of DFG::Node
Summary: [JSC] Fix a bunch of use-after-free of DFG::Node
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Benjamin Poulain
URL:
Keywords: InRadar
Depends on:
Blocks: 160098
  Show dependency treegraph
 
Reported: 2016-07-26 17:46 PDT by Benjamin Poulain
Modified: 2016-07-28 09:24 PDT (History)
7 users (show)

See Also:

Attachments
Patch (7.78 KB, patch)
2016-07-26 17:57 PDT, Benjamin Poulain 		no flags Details | Formatted Diff | Diff
Patch (7.46 KB, patch)
2016-07-26 18:14 PDT, Benjamin Poulain 		mark.lam: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Benjamin Poulain 2016-07-26 17:46:13 PDT 
[JSC] Fix a bunch of use-after-free of DFG::Node
Comment 1 Benjamin Poulain 2016-07-26 17:57:45 PDT 
Created attachment 284659 [details]
Patch
Comment 2 Benjamin Poulain 2016-07-26 18:14:16 PDT 
Created attachment 284660 [details]
Patch
Comment 3 Benjamin Poulain 2016-07-26 18:46:41 PDT 
Comment on attachment 284660 [details]
Patch

Before you ask: yep, that pisses me off *A LOT* to add yet another run of liveness+interpreter :(
Comment 4 Mark Lam 2016-07-27 08:33:05 PDT 
Comment on attachment 284660 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=284660&action=review

LGTM

> Source/JavaScriptCore/ChangeLog:27
> +        Just invalidation. Nothing wrong here since the useless nodes where
> +        kept live while iterating the blocks.

typo: /where kept/were kept/.
Comment 5 Benjamin Poulain 2016-07-27 16:24:08 PDT 
Committed r203802: <http://trac.webkit.org/changeset/203802>
Comment 6 Radar WebKit Bug Importer 2016-07-28 09:24:18 PDT 
<rdar://problem/27590480>