Author: [email protected]
Date: Wed Mar 4 07:11:22 2009
New Revision: 1420
Modified:
trunk/src/api.cc
trunk/src/objects.cc
Log:
Merge bleeding_edge revision 1419 to trunk. Fixes a GC unsafety that
can lead to a crash.
Review URL: http://codereview.chromium.org/40110
Modified: trunk/src/api.cc
==============================================================================
--- trunk/src/api.cc (original)
+++ trunk/src/api.cc Wed Mar 4 07:11:22 2009
@@ -2185,7 +2185,7 @@
const char* v8::V8::GetVersion() {
- return "1.0.3.2";
+ return "1.0.3.3";
}
Modified: trunk/src/objects.cc
==============================================================================
--- trunk/src/objects.cc (original)
+++ trunk/src/objects.cc Wed Mar 4 07:11:22 2009
@@ -4880,6 +4880,7 @@
void JSArray::EnsureSize(int required_size) {
+ Handle<JSArray> self(this);
ASSERT(HasFastElements());
if (elements()->length() >= required_size) return;
Handle<FixedArray> old_backing(elements());
@@ -4888,8 +4889,9 @@
// constantly growing.
int new_size = required_size + (required_size >> 3);
Handle<FixedArray> new_backing = Factory::NewFixedArray(new_size);
+ // Can't use this any more now because we may have had a GC!
for (int i = 0; i < old_size; i++) new_backing->set(i,
old_backing->get(i));
- SetContent(*new_backing);
+ self->SetContent(*new_backing);
}
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
