From 2541f2507ffc39107462dfa2cce43c6ec672bcc5 Mon Sep 17 00:00:00 2001
From: "verwaest@chromium.org"
 <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 25 Mar 2013 15:59:08 +0000
Subject: [PATCH] Add AssertNoAllocation to ensure TransitionArray* transitions
 is safe.

Review URL: https://chromiumcodereview.appspot.com/12583013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14066 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects-inl.h | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/objects-inl.h b/src/objects-inl.h
index 2bed396aa2..5c848800b3 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1490,13 +1490,17 @@ MaybeObject* JSObject::AddFastPropertyUsingMap(Map* map) {
 bool JSObject::TryTransitionToField(Handle<JSObject> object,
                                     Handle<Name> key) {
   if (!object->map()->HasTransitionArray()) return false;
-  TransitionArray* transitions = object->map()->transitions();
-  int transition = transitions->Search(*key);
-  if (transition == TransitionArray::kNotFound) return false;
-  PropertyDetails target_details = transitions->GetTargetDetails(transition);
-  if (target_details.type() != FIELD) return false;
-  if (target_details.attributes() != NONE) return false;
-  Handle<Map> target(transitions->GetTarget(transition));
+  Handle<Map> target;
+  {
+    AssertNoAllocation no_allocation;
+    TransitionArray* transitions = object->map()->transitions();
+    int transition = transitions->Search(*key);
+    if (transition == TransitionArray::kNotFound) return false;
+    PropertyDetails target_details = transitions->GetTargetDetails(transition);
+    if (target_details.type() != FIELD) return false;
+    if (target_details.attributes() != NONE) return false;
+    target = Handle<Map>(transitions->GetTarget(transition));
+  }
   JSObject::AddFastPropertyUsingMap(object, target);
   return true;
 }