2009-01-21 Gavin Barraclough <barraclough@apple.com>
authorbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Jan 2009 03:35:42 +0000 (03:35 +0000)
committerbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Jan 2009 03:35:42 +0000 (03:35 +0000)
        Reviewed by Geoff Garen.

        Fix for https://bugs.webkit.org/show_bug.cgi?id=23468.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@40108 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/interpreter/Interpreter.cpp

index 764c64c..69030a8 100644 (file)
@@ -1,3 +1,12 @@
+2009-01-21  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=23468.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+
 2009-01-21  Alexey Proskuryakov  <ap@webkit.org>
 
         Suggested by Oliver Hunt. Reviewed by Oliver Hunt.
index 4fae1c5..4c9623f 100644 (file)
@@ -2551,9 +2551,9 @@ JSValuePtr Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registe
                 size_t count = vPC[6].u.operand;
                 RefPtr<Structure>* end = it + count;
 
-                JSObject* baseObject = asObject(baseCell);
-                while (1) {
-                    baseObject = asObject(baseObject->structure()->prototypeForLookup(callFrame));
+                while (true) {
+                    JSObject* baseObject = asObject(baseCell->structure()->prototypeForLookup(callFrame));
+
                     if (UNLIKELY(baseObject->structure() != (*it).get()))
                         break;
 
@@ -2567,6 +2567,9 @@ JSValuePtr Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registe
                         vPC += 8;
                         NEXT_INSTRUCTION();
                     }
+
+                    // Update baseCell, so that next time around the loop we'll pick up the prototype's prototype.
+                    baseCell = baseObject;
                 }
             }
         }