AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[runtime] Fix Object.create(null) initialization order

Browse Source 
A GC might cause the just created dictionary object to have an invalid backing
store, which breaks heap verification.

BUG=chromium:659088

Review-Url: https://codereview.chromium.org/2452653002
Cr-Commit-Position: refs/heads/master@{#40574}
This commit is contained in:
cbruni 2016-10-26 00:17:02 -07:00 committed by Commit bot
parent 9f4f582bbf
commit f5d4f8f80f
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/runtime/runtime-object.cc
View File

@ -247,13 +247,18 @@ RUNTIME_FUNCTION(Runtime_ObjectCreate) {
} }
} }
bool is_dictionary_map = map->is_dictionary_map();
Handle<FixedArray> object_properties;
if (is_dictionary_map) {
// Allocate the actual properties dictionay up front to avoid invalid object
// state.
object_properties =
NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
}
// Actually allocate the object. // Actually allocate the object.
Handle<JSObject> object = isolate->factory()->NewJSObjectFromMap(map); Handle<JSObject> object = isolate->factory()->NewJSObjectFromMap(map);
if (is_dictionary_map) {
if (map->is_dictionary_map()) { object->set_properties(*object_properties);
Handle<NameDictionary> properties =
NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
object->set_properties(*properties);
} }
// Define the properties if properties was specified and is not undefined. // Define the properties if properties was specified and is not undefined.