Fix an early dereference in ReplacementStringBuilder

This fixes an early handle dereference before a potential allocation in ReplacementStringBuilder. Bug: chromium:935101 Change-Id: I03cf2b18b577a38af818dcc42f7c430faba23450 Reviewed-on: https://chromium-review.googlesource.com/c/1485831 Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#59811}
2019-02-25 10:32:34 +01:00 · 2019-02-25 10:32:34 +01:00 · 5bba1e46c3
commit 5bba1e46c3
parent 6e94676d15
2 changed files with 5 additions and 4 deletions
--- a/src/string-builder-inl.h
+++ b/src/string-builder-inl.h
@ -103,7 +103,7 @@ class ReplacementStringBuilder {
  }

 private:
-  void AddElement(Object element);
+  void AddElement(Handle<Object> element);
  void EnsureCapacity(int elements);

  Heap* heap_;
--- a/src/string-builder.cc
+++ b/src/string-builder.cc
@ -180,7 +180,7 @@ void ReplacementStringBuilder::EnsureCapacity(int elements) {
 void ReplacementStringBuilder::AddString(Handle<String> string) {
  int length = string->length();
  DCHECK_GT(length, 0);
-  AddElement(*string);
+  AddElement(string);
  if (!string->IsOneByteRepresentation()) {
    is_one_byte_ = false;
  }
@ -221,10 +221,11 @@ MaybeHandle<String> ReplacementStringBuilder::ToString() {
  return joined_string;
 }

-void ReplacementStringBuilder::AddElement(Object element) {
+void ReplacementStringBuilder::AddElement(Handle<Object> element) {
  DCHECK(element->IsSmi() || element->IsString());
  EnsureCapacity(1);
-  array_builder_.Add(element);
+  DisallowHeapAllocation no_gc;
+  array_builder_.Add(*element);
 }

 IncrementalStringBuilder::IncrementalStringBuilder(Isolate* isolate)