Reviewers: Erik Corry, Description: Merge bleeding_edge revision 1419 to trunk. Fixes a GC unsafety that can lead to a crash.
Please review this at http://codereview.chromium.org/40110 SVN Base: http://v8.googlecode.com/svn/trunk/ Affected files: M src/api.cc M src/objects.cc Index: src/api.cc =================================================================== --- src/api.cc (revision 1419) +++ src/api.cc (working copy) @@ -2185,7 +2185,7 @@ const char* v8::V8::GetVersion() { - return "1.0.3.2"; + return "1.0.3.3"; } Index: src/objects.cc =================================================================== --- src/objects.cc (revision 1419) +++ src/objects.cc (working copy) @@ -4880,6 +4880,7 @@ void JSArray::EnsureSize(int required_size) { + Handle<JSArray> self(this); ASSERT(HasFastElements()); if (elements()->length() >= required_size) return; Handle<FixedArray> old_backing(elements()); @@ -4888,8 +4889,9 @@ // constantly growing. int new_size = required_size + (required_size >> 3); Handle<FixedArray> new_backing = Factory::NewFixedArray(new_size); + // Can't use this any more now because we may have had a GC! for (int i = 0; i < old_size; i++) new_backing->set(i, old_backing->get(i)); - SetContent(*new_backing); + self->SetContent(*new_backing); } --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
