Correctly handlify two frame {Summarize} methods

{JavaScriptFrame::GetParameters} allocates a new {FixedArray}, hence all object references need to be handified to survive that allocation. R=mstarzinger@chromium.org Bug: chromium:1000635 Change-Id: I76df5ac109bdb6999fe897bdafaf2175344ecca4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1787429 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#63583}
2019-09-05 15:56:55 +02:00 · 2019-09-05 15:56:55 +02:00 · fba03abcfa
commit fba03abcfa
parent 470e68570e
2 changed files with 21 additions and 5 deletions
--- a/src/execution/frames.cc
+++ b/src/execution/frames.cc
@ -1147,11 +1147,11 @@ void JavaScriptFrame::Summarize(std::vector<FrameSummary>* functions) const {
  DCHECK(functions->empty());
  Code code = LookupCode();
  int offset = static_cast<int>(pc() - code.InstructionStart());
-  AbstractCode abstract_code = AbstractCode::cast(code);
+  Handle<AbstractCode> abstract_code(AbstractCode::cast(code), isolate());
  Handle<FixedArray> params = GetParameters();
  FrameSummary::JavaScriptFrameSummary summary(
-      isolate(), receiver(), function(), abstract_code, offset, IsConstructor(),
-      *params);
+      isolate(), receiver(), function(), *abstract_code, offset,
+      IsConstructor(), *params);
  functions->push_back(summary);
 }

@ -1824,10 +1824,11 @@ void InterpretedFrame::WriteInterpreterRegister(int register_index,

 void InterpretedFrame::Summarize(std::vector<FrameSummary>* functions) const {
  DCHECK(functions->empty());
-  AbstractCode abstract_code = AbstractCode::cast(GetBytecodeArray());
+  Handle<AbstractCode> abstract_code(AbstractCode::cast(GetBytecodeArray()),
+                                     isolate());
  Handle<FixedArray> params = GetParameters();
  FrameSummary::JavaScriptFrameSummary summary(
-      isolate(), receiver(), function(), abstract_code, GetBytecodeOffset(),
+      isolate(), receiver(), function(), *abstract_code, GetBytecodeOffset(),
      IsConstructor(), *params);
  functions->push_back(summary);
 }
--- a/test/mjsunit/regress/regress-1000635.js
+++ b/test/mjsunit/regress/regress-1000635.js
@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --stress-compaction --detailed-error-stack-trace --gc-interval=1
+
+function add(a, b) {
+  throw new Error();
+}
+for (let i = 0; i < 100; ++i) {
+  try {
+    add(1, 2);
+  } catch (e) {
+  }
+}