AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

When redefining accessor properties, defensively copy AccessorPairs.

Browse Source 
The previous code relied on the tricky global invariant that there is no map
sharing when accessor properties are involved (or in other words: that
TransformToFastProperties is dumb enough :-). Although this is not a real
problem with the current code, this assumption breaks when map sharing in fast
mode is enabled, so we defensively copy an AccessorPair.

Review URL: https://chromiumcodereview.appspot.com/9430048

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10810 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
svenpanne@chromium.org 2012-02-23 12:12:28 +00:00
parent fbc230e42b
commit a1f3c9407f
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/objects.cc
View File

@ -4471,9 +4471,14 @@ MaybeObject* JSObject::DefinePropertyAccessor(String* name,
Object* obj = result.GetCallbackObject(); Object* obj = result.GetCallbackObject();
// Need to preserve old getters/setters. // Need to preserve old getters/setters.
if (obj->IsAccessorPair()) { if (obj->IsAccessorPair()) {
AccessorPair::cast(obj)->set(is_getter, fun); AccessorPair* copy;
{ MaybeObject* maybe_copy =
AccessorPair::cast(obj)->CopyWithoutTransitions();
if (!maybe_copy->To(&copy)) return maybe_copy;
}
copy->set(is_getter, fun);
// Use set to update attributes. // Use set to update attributes.
{ MaybeObject* maybe_ok = SetPropertyCallback(name, obj, attributes); { MaybeObject* maybe_ok = SetPropertyCallback(name, copy, attributes);
if (maybe_ok->IsFailure()) return maybe_ok; if (maybe_ok->IsFailure()) return maybe_ok;
} }
return GetHeap()->undefined_value(); return GetHeap()->undefined_value();