[v8-dev] [v8 commit] r444 - in branches/bleeding_edge: src test/mjsunit

Mon, 06 Oct 2008 06:21:06 -0700 

Author: [EMAIL PROTECTED]
Date: Mon Oct  6 06:20:27 2008
New Revision: 444

Modified:
    branches/bleeding_edge/src/runtime.cc
    branches/bleeding_edge/test/mjsunit/mjsunit.status

Log:
Fixed unsafe code where a GC could occour after a Handle had been  
deferenced.

   instances->set(i, *GetScriptWrapper(script));

GetScriptWrapper can call GC. The failure have only been seen on ARM, where
the g++ compiler pulls out the object from the instances handle to a  
register
before calling GetScriptWrapper causing set to be called on an object which
may have moved.

Marked a test on ARM as no longer flaky, whereas two other fails  
consistently
but that is no longer related to the problem fixed above.

BUG=1308895
Review URL: http://codereview.chromium.org/6271

Modified: branches/bleeding_edge/src/runtime.cc
==============================================================================
--- branches/bleeding_edge/src/runtime.cc       (original)
+++ branches/bleeding_edge/src/runtime.cc       Mon Oct  6 06:20:27 2008
@@ -4697,8 +4697,14 @@

    // Convert the script objects to proper JS objects.
    for (int i = 0; i < count; i++) {
-    Handle<Script> script(Script::cast(instances->get(i)));
-    instances->set(i, *GetScriptWrapper(script));
+    Handle<Script> script =  
Handle<Script>(Script::cast(instances->get(i)));
+    // Get the script wrapper in a local handle before calling  
GetScriptWrapper,
+    // because using
+    //   instances->set(i, *GetScriptWr apper(script))
+    // is unsafe as GetScriptWrapper might call GC and the C++ compiler  
might
+    // already have deferenced the instances handle.
+    Handle<JSValue> wrapper = GetScriptWrapper(script);
+    instances->set(i, *wrapper);
    }

    // Return result as a JS array.

Modified: branches/bleeding_edge/test/mjsunit/mjsunit.status
==============================================================================
--- branches/bleeding_edge/test/mjsunit/mjsunit.status  (original)
+++ branches/bleeding_edge/test/mjsunit/mjsunit.status  Mon Oct  6 06:20:27  
2008
@@ -57,11 +57,7 @@
  debug-step-stub-callfunction: FAIL
  debug-stepin-constructor: FAIL
  debug-step: FAIL
-regress/regress-998565: FAIL
-
-# Bug number 1308895: These tests pass on the ARM simulator, but
-# fail on the ARM Linux machine.
-debug-script-breakpoints: PASS || FAIL
-debug-scripts-request: PASS || FAIL
+debug-script-breakpoints: FAIL
  debug-breakpoints: PASS || FAIL

+regress/regress-998565: FAIL

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to