[gcmole] Handlify a Map in map-updater.cc

Avoid possible use-after-free. Fixed: v8:10210 Change-Id: Id8bdf70804448b5b793d9d593374f4b588fe3e87 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2253841 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Auto-Submit: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#68436}
2020-06-19 13:28:05 +02:00 · 2020-06-19 13:28:05 +02:00 · 9f734db6aa
commit 9f734db6aa
parent a7b3d8f95d
1 changed files with 7 additions and 5 deletions
--- a/src/objects/map-updater.cc
+++ b/src/objects/map-updater.cc
@ -713,16 +713,18 @@ MapUpdater::State MapUpdater::ConstructNewMap() {
  TransitionsAccessor transitions(isolate_, split_map);

  // Invalidate a transition target at |key|.
-  Map maybe_transition = transitions.SearchTransition(
-      GetKey(split_index), split_details.kind(), split_details.attributes());
-  if (!maybe_transition.is_null()) {
-    maybe_transition.DeprecateTransitionTree(isolate_);
+  Handle<Map> maybe_transition(
+      transitions.SearchTransition(GetKey(split_index), split_details.kind(),
+                                   split_details.attributes()),
+      isolate_);
+  if (!maybe_transition->is_null()) {
+    maybe_transition->DeprecateTransitionTree(isolate_);
  }

  // If |maybe_transition| is not nullptr then the transition array already
  // contains entry for given descriptor. This means that the transition
  // could be inserted regardless of whether transitions array is full or not.
-  if (maybe_transition.is_null() && !transitions.CanHaveMoreTransitions()) {
+  if (maybe_transition->is_null() && !transitions.CanHaveMoreTransitions()) {
    return Normalize("Normalize_CantHaveMoreTransitions");
  }