[v8-dev] [v8 commit] r1513 - Fix GC related crash bug in search-replace.

codesite-noreply Sun, 15 Mar 2009 16:06:24 -0700

Author: [email protected]
Date: Sun Mar 15 15:28:26 2009
New Revision: 1513


Added:
    branches/bleeding_edge/test/mjsunit/regress/regress-AddElement.js
Modified:
    branches/bleeding_edge/src/runtime.cc

Log:
Fix GC related crash bug in search-replace.
Review URL: http://codereview.chromium.org/42214

Modified: branches/bleeding_edge/src/runtime.cc
==============================================================================
--- branches/bleeding_edge/src/runtime.cc       (original)
+++ branches/bleeding_edge/src/runtime.cc       Sun Mar 15 15:28:26 2009
@@ -1146,10 +1146,10 @@
            StringBuilderSubstringPosition::is_valid(from)) {
          int encoded_slice = StringBuilderSubstringLength::encode(length) |
              StringBuilderSubstringPosition::encode(from);
-        AddElement(Smi::FromInt(encoded_slice));
+        AddElement(Handle<Object>(Smi::FromInt(encoded_slice)));
        } else {
          Handle<String> slice = Factory::NewStringSlice(subject_, from, to);
-        AddElement(*slice);
+        AddElement(slice);
        }
        IncrementCharacterCount(length);
      }
@@ -1160,7 +1160,7 @@
      StringShape shape(*string);
      int length = string->length(shape);
      if (length > 0) {
-      AddElement(*string);
+      AddElement(string);
        if (!shape.IsAsciiRepresentation()) {
          is_ascii_ = false;
        }
@@ -1220,7 +1220,7 @@
    }


-  void AddElement(Object* element) {
+  void AddElement(Handle<Object> element) {
      ASSERT(element->IsSmi() || element->IsString());
      // Extend parts_ array if necessary.
      if (parts_->length() == part_count_) {
@@ -1229,7 +1229,7 @@
        parts_->CopyTo(0, *extended_array, 0, part_count_);
        parts_ = extended_array;
      }
-    parts_->set(part_count_, element);
+    parts_->set(part_count_, *element);
      part_count_++;
    }

@@ -1551,12 +1551,16 @@

    do {
      ASSERT(last_match_info_handle->HasFastElements());
-    FixedArray* match_info_array = last_match_info_handle->elements();
-
-    ASSERT_EQ(capture_count * 2 + 2,
-              RegExpImpl::GetLastCaptureCount(match_info_array));
-    int start = RegExpImpl::GetCapture(match_info_array, 0);
-    int end = RegExpImpl::GetCapture(match_info_array, 1);
+    int start, end;
+    {
+      AssertNoAllocation match_info_array_is_not_in_a_handle;
+      FixedArray* match_info_array = last_match_info_handle->elements();
+
+      ASSERT_EQ(capture_count * 2 + 2,
+                RegExpImpl::GetLastCaptureCount(match_info_array));
+      start = RegExpImpl::GetCapture(match_info_array, 0);
+      end = RegExpImpl::GetCapture(match_info_array, 1);
+    }

      if (prev < start) {
        builder.AddSubjectSlice(prev, start);

Added: branches/bleeding_edge/test/mjsunit/regress/regress-AddElement.js
==============================================================================
--- (empty file)
+++ branches/bleeding_edge/test/mjsunit/regress/regress-AddElement.js   Sun  
Mar 15 15:28:26 2009
@@ -0,0 +1,29 @@
+// Flags: --always-compact
+//
+// Regression test for the r1512 fix.
+
+var foo = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+foo = foo + foo;
+
+foo.replace(/[b]/, "c");  // Flatten foo;
+
+var moving_string = "b" + "c";
+
+var bar = foo.replace(/[a]/g, moving_string);
+
+print(bar.length);

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

[v8-dev] [v8 commit] r1513 - Fix GC related crash bug in search-replace.

Reply via email to