[v8-dev] Make sure backing store pointer in handles get cleared after use in factory. (issue 813023002 by [email protected])

Thu, 18 Dec 2014 04:16:00 -0800 

Reviewers: ulan,

Description:
Make sure backing store pointer in handles get cleared after use in factory.

BUG=442710
LOG=n

Please review this at https://codereview.chromium.org/813023002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+18, -1 lines):
  M src/factory.cc
  M test/cctest/test-heap.cc


Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index 83e5a440d6591feebe0b4c47392598895c7e8409..eb16a6cd42bcaefa59317b3298b2fa6f484259e3 100644 
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1662,7 +1662,6 @@ Handle<JSArray> Factory::NewJSArrayWithElements(Handle<FixedArrayBase> elements, 
                                                 PretenureFlag pretenure) {
   DCHECK(length <= elements->length());
   Handle<JSArray> array = NewJSArray(elements_kind, pretenure);
-
   array->set_elements(*elements);
   array->set_length(Smi::FromInt(length));
   JSObject::ValidateElements(array);
@@ -1682,6 +1681,7 @@ void Factory::NewJSArrayStorage(Handle<JSArray> array,
     return;
   }

+  HandleScope inner_scope(isolate());
   Handle<FixedArrayBase> elms;
   ElementsKind elements_kind = array->GetElementsKind();
   if (IsFastDoubleElementsKind(elements_kind)) {
Index: test/cctest/test-heap.cc
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index 2d15786f89ee03af59847a8e2687d3b5ef1f412d..edb47d2559d468623fdfae7edb53d71841e3ebf1 100644 
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -5006,6 +5006,23 @@ TEST(Regress3631) {
 }


+TEST(Regress442710) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = isolate->heap();
+  Factory* factory = isolate->factory();
+
+  HandleScope sc(isolate);
+ Handle<GlobalObject> global(CcTest::i_isolate()->context()->global_object()); 
+  Handle<JSArray> array = factory->NewJSArray(2);
+
+  Handle<String> name = factory->InternalizeUtf8String("testArray");
+  JSReceiver::SetProperty(global, name, array, SLOPPY).Check();
+  CompileRun("testArray[0] = 1; testArray[1] = 2; testArray.shift();");
+  heap->CollectGarbage(OLD_POINTER_SPACE);
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
   CcTest::InitializeVM();


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to