Fix GC bug

The patching of the receiver added in r3616 was not GC-safe and could leave a failure object in place of the receiver if allocation of the wrapper JS object failed. Review URL: http://codereview.chromium.org/546068 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3633 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-01-18 14:13:58 +00:00 · 2010-01-18 14:13:58 +00:00 · 8707b36233
commit 8707b36233
parent ef0743abd7
4 changed files with 10 additions and 4 deletions
--- a/src/factory.cc
+++ b/src/factory.cc
@ -718,6 +718,11 @@ Handle<JSFunction> Factory::NewFunction(Handle<String> name,
 }


+Handle<Object> Factory::ToObject(Handle<Object> object) {
+  CALL_HEAP_FUNCTION(object->ToObject(), Object);
+}
+
+
 Handle<Object> Factory::ToObject(Handle<Object> object,
                                 Handle<Context> global_context) {
  CALL_HEAP_FUNCTION(object->ToObject(*global_context), Object);
--- a/src/factory.h
+++ b/src/factory.h
@ -229,6 +229,7 @@ class Factory : public AllStatic {

  static Handle<Code> CopyCode(Handle<Code> code);

+  static Handle<Object> ToObject(Handle<Object> object);
  static Handle<Object> ToObject(Handle<Object> object,
                                 Handle<Context> global_context);

--- a/src/ic.cc
+++ b/src/ic.cc
@ -378,7 +378,7 @@ Object* CallIC::TryCallAsFunction(Object* object) {
  return *delegate;
 }

-void CallIC::ReceiverToObject(Object* object) {
+void CallIC::ReceiverToObject(Handle<Object> object) {
  HandleScope scope;
  Handle<Object> receiver(object);

@ -387,7 +387,7 @@ void CallIC::ReceiverToObject(Object* object) {
  StackFrameLocator locator;
  JavaScriptFrame* frame = locator.FindJavaScriptFrame(0);
  int index = frame->ComputeExpressionsCount() - (argc + 1);
-  frame->SetExpression(index, object->ToObject());
+  frame->SetExpression(index, *Factory::ToObject(object));
 }


@ -401,7 +401,7 @@ Object* CallIC::LoadFunction(State state,
  }

  if (object->IsString() || object->IsNumber() || object->IsBoolean()) {
-    ReceiverToObject(*object);
+    ReceiverToObject(object);
  }

  // Check if the name is trivially convertible to an index and get
--- a/src/ic.h
+++ b/src/ic.h
@ -209,7 +209,7 @@ class CallIC: public IC {
  // Otherwise, it returns the undefined value.
  Object* TryCallAsFunction(Object* object);

-  void ReceiverToObject(Object* object);
+  void ReceiverToObject(Handle<Object> object);

  static void Clear(Address address, Code* target);
  friend class IC;