Fix GC unsafety in ToPropertyDescriptorFastPath

Reading an object property can allocate a HeapNumber (even with unboxed double fields turned off: we still use MutableHeapNumbers to store properties). Bug: chromium:1049859 Change-Id: I82228ccb98403b3db82671743f51b2e23f6636d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050385 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#66218}
2020-02-11 11:55:45 +01:00 · 2020-02-11 11:55:45 +01:00 · cdd0a392ad
commit cdd0a392ad
parent 51cdea5def
1 changed files with 1 additions and 1 deletions
--- a/src/objects/property-descriptor.cc
+++ b/src/objects/property-descriptor.cc
@ -60,7 +60,6 @@ bool ToPropertyDescriptorFastPath(Isolate* isolate, Handle<JSReceiver> obj,
      Handle<DescriptorArray>(map.instance_descriptors(), isolate);
  for (InternalIndex i : map.IterateOwnDescriptors()) {
    PropertyDetails details = descs->GetDetails(i);
-    Name key = descs->GetKey(i);
    Handle<Object> value;
    if (details.location() == kField) {
      if (details.kind() == kData) {
@ -83,6 +82,7 @@ bool ToPropertyDescriptorFastPath(Isolate* isolate, Handle<JSReceiver> obj,
        return false;
      }
    }
+    Name key = descs->GetKey(i);
    ReadOnlyRoots roots(isolate);
    if (key == roots.enumerable_string()) {
      desc->set_enumerable(value->BooleanValue(isolate));