projects / framework / web / webkit-efl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d512f6b) | patch
[CherryPick] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Sep 2012 19:07:35 +0000 (19:07 +0000)
committerHojong Han <hojong.han@samsung.com>
Fri, 23 Aug 2013 08:01:40 +0000 (17:01 +0900)
commit42a9f1a2a26164329de7580744b57327dff7dc31
treefd8a12fd707215371b2ed79fe8c04abc24b647detree | snapshot
parentd512f6b033c90955e3c6e8ca3e11babd21696994commit | diff
[CherryPick] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator

[Title] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
[Issue#] N_SE-49504
[Problem] Crash after accessing property through cached property
[Solution] use structure rather than classinfo
[Cherry-Picker] Lee SangGyu <sg5.lee@samsung.com>

Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
https://bugs.webkit.org/show_bug.cgi?id=95821

Reviewed by Oliver Hunt.

We can replace the load of the ClassInfo from the object with a load from the Structure.

* dfg/DFGThunks.cpp:
(JSC::DFG::virtualForThunkGenerator):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127625 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: Ic649e638d5ef6bb57559423e24caeba9b0745a4c
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/dfg/DFGThunks.cpp diff | blob | history
Domain: Web Framework / Uncategorized;