Reviewers: Toon Verwaest,
Message:
Committed patchset #1 (id:1) manually as 24670 (presubmit successful).
Description:
Harden CopyJSObject.
[email protected]
Committed: https://code.google.com/p/v8/source/detail?r=24670
Please review this at https://codereview.chromium.org/489833004/
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+6, -4 lines):
M src/heap/heap.cc
Index: src/heap/heap.cc
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index
1c966b350d2aee49a480e56c4f1c53b8619f25bf..cd61c17d71caa1d0fe071c67ddacc523492d6608
100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3684,12 +3684,14 @@ AllocationResult Heap::AllocateJSObject(JSFunction*
constructor,
AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite*
site) {
- // Never used to copy functions. If functions need to be copied we
- // have to be careful to clear the literals array.
- SLOW_DCHECK(!source->IsJSFunction());
-
// Make the clone.
Map* map = source->map();
+
+ // We can only clone normal objects or arrays. Copying anything else
+ // will break invariants.
+ CHECK(map->instance_type() == JS_OBJECT_TYPE ||
+ map->instance_type() == JS_ARRAY_TYPE);
+
int object_size = map->instance_size();
HeapObject* clone;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
