AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject.

Browse Source 
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/22327008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
mstarzinger@chromium.org 2013-08-09 09:49:15 +00:00
parent 1086e02fef
commit 899e80130e
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/deoptimizer.cc
View File

@ -1675,7 +1675,8 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
arguments->set_elements(*array);
materialized_objects_->Add(arguments);
for (int i = 0; i < length; ++i) {
array->set(i, *MaterializeNextValue());
Handle<Object> value = MaterializeNextValue();
array->set(i, *value);
}
} else {
// Dispatch on the instance type of the object to be materialized.
@ -1692,10 +1693,13 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
Handle<JSObject> object =
isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false);
materialized_objects_->Add(object);
object->set_properties(FixedArray::cast(*MaterializeNextValue()));
object->set_elements(FixedArray::cast(*MaterializeNextValue()));
Handle<Object> properties = MaterializeNextValue();
Handle<Object> elements = MaterializeNextValue();
object->set_properties(FixedArray::cast(*properties));
object->set_elements(FixedArray::cast(*elements));
for (int i = 0; i < length - 3; ++i) {
object->FastPropertyAtPut(i, *MaterializeNextValue());
Handle<Object> value = MaterializeNextValue();
object->FastPropertyAtPut(i, *value);
}
break;
}