RESOLVED FIXED 160228
[JSC] Fix a bunch of use-after-free of DFG::Node 
https://bugs.webkit.org/show_bug.cgi?id=160228
Summary [JSC] Fix a bunch of use-after-free of DFG::Node
Benjamin Poulain
Reported 2016-07-26 17:46:13 PDT
[JSC] Fix a bunch of use-after-free of DFG::Node
Attachments
Patch (7.78 KB, patch)
2016-07-26 17:57 PDT, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Patch (7.46 KB, patch)
2016-07-26 18:14 PDT, Benjamin Poulain 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2016-07-26 17:57:45 PDT
Created attachment 284659 [details] Patch
Benjamin Poulain
Comment 2 2016-07-26 18:14:16 PDT
Created attachment 284660 [details] Patch
Benjamin Poulain
Comment 3 2016-07-26 18:46:41 PDT
Comment on attachment 284660 [details] Patch Before you ask: yep, that pisses me off *A LOT* to add yet another run of liveness+interpreter :(
Mark Lam
Comment 4 2016-07-27 08:33:05 PDT
Comment on attachment 284660 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284660&action=review LGTM > Source/JavaScriptCore/ChangeLog:27 > + Just invalidation. Nothing wrong here since the useless nodes where > + kept live while iterating the blocks. typo: /where kept/were kept/.
Benjamin Poulain
Comment 5 2016-07-27 16:24:08 PDT
Committed r203802: <http://trac.webkit.org/changeset/203802>
Radar WebKit Bug Importer
Comment 6 2016-07-28 09:24:18 PDT
<rdar://problem/27590480>
Note You need to log in before you can comment on or make changes to this bug.