AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Harden CopyJSObject.

Browse Source 
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/489833004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24670 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
dslomov@chromium.org 2014-10-16 19:38:32 +00:00
parent 9c7a753e51
commit 80acb53d22
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/heap/heap.cc
View File

@ -3716,12 +3716,14 @@ AllocationResult Heap::AllocateJSObject(JSFunction* constructor,
AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite* site) {
// Never used to copy functions. If functions need to be copied we
// have to be careful to clear the literals array.
SLOW_DCHECK(!source->IsJSFunction());
// Make the clone.
Map* map = source->map();
// We can only clone normal objects or arrays. Copying anything else
// will break invariants.
CHECK(map->instance_type() == JS_OBJECT_TYPE ||
map->instance_type() == JS_ARRAY_TYPE);
int object_size = map->instance_size();
HeapObject* clone;