Fix non-idempotent modification in JSObject::AddFastProperty.

R=verwaest@chromium.org BUG=mozilla/ecma/Array/15.4.5.2-2 Review URL: https://codereview.chromium.org/15955010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-31 11:58:39 +00:00 · 2013-05-31 11:58:39 +00:00 · b8154d9353
commit b8154d9353
parent 3718dae502
1 changed files with 7 additions and 4 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -1824,15 +1824,18 @@ MaybeObject* JSObject::AddFastProperty(Name* name,

  Heap* heap = isolate->heap();

-  Map* new_map;
-  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
-  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
-
  Object* storage;
  MaybeObject* maybe_storage =
      value->AllocateNewStorageFor(heap, representation);
  if (!maybe_storage->To(&storage)) return maybe_storage;

+  // Note that Map::CopyAddDescriptor has side-effects, the new map is already
+  // inserted in the transition tree. No more allocations that might fail are
+  // allowed after this point.
+  Map* new_map;
+  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
+  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
+
  if (map()->unused_property_fields() == 0) {
    ASSERT(values != NULL);
    set_properties(values);