Author: [email protected]
Date: Tue Jul 7 20:21:27 2009
New Revision: 2384
Modified:
branches/bleeding_edge/src/factory.cc
Log:
Fix unsafe use of DescriptorWriter across allocation.
DescriptorWriters hold a raw pointer to the descriptor array and they
are therefore not GC safe.
Review URL: http://codereview.chromium.org/149304
Modified: branches/bleeding_edge/src/factory.cc
==============================================================================
--- branches/bleeding_edge/src/factory.cc (original)
+++ branches/bleeding_edge/src/factory.cc Tue Jul 7 20:21:27 2009
@@ -570,12 +570,14 @@
int descriptor_count = 0;
// Copy the descriptors from the array.
- DescriptorWriter w(*result);
- for (DescriptorReader r(*array); !r.eos(); r.advance()) {
- if (!r.IsNullDescriptor()) {
- w.WriteFrom(&r);
+ {
+ DescriptorWriter w(*result);
+ for (DescriptorReader r(*array); !r.eos(); r.advance()) {
+ if (!r.IsNullDescriptor()) {
+ w.WriteFrom(&r);
+ }
+ descriptor_count++;
}
- descriptor_count++;
}
// Number of duplicates detected.
@@ -594,7 +596,10 @@
if (result->LinearSearch(*key, descriptor_count) ==
DescriptorArray::kNotFound) {
CallbacksDescriptor desc(*key, *entry, entry->property_attributes());
- w.Write(&desc);
+ // We do not use a DescriptorWriter because SymbolFromString can
+ // allocate. A DescriptorWriter holds a raw pointer and is
+ // therefore not GC safe.
+ result->Set(descriptor_count, &desc);
descriptor_count++;
} else {
duplicates++;
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
