Revision: 24670
Author: [email protected]
Date: Thu Oct 16 19:38:32 2014 UTC
Log: Harden CopyJSObject.
[email protected]
Review URL: https://codereview.chromium.org/489833004
https://code.google.com/p/v8/source/detail?r=24670
Modified:
/branches/bleeding_edge/src/heap/heap.cc
=======================================
--- /branches/bleeding_edge/src/heap/heap.cc Wed Oct 15 14:04:53 2014 UTC
+++ /branches/bleeding_edge/src/heap/heap.cc Thu Oct 16 19:38:32 2014 UTC
@@ -3716,12 +3716,14 @@
AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite*
site) {
- // Never used to copy functions. If functions need to be copied we
- // have to be careful to clear the literals array.
- SLOW_DCHECK(!source->IsJSFunction());
-
// Make the clone.
Map* map = source->map();
+
+ // We can only clone normal objects or arrays. Copying anything else
+ // will break invariants.
+ CHECK(map->instance_type() == JS_OBJECT_TYPE ||
+ map->instance_type() == JS_ARRAY_TYPE);
+
int object_size = map->instance_size();
HeapObject* clone;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
