[v8-dev] Version 3.30.33.11 (cherry-pick) (issue 823583002 by [email protected])

Mon, 22 Dec 2014 04:36:07 -0800 

Reviewers: Benedikt Meurer,

Description:
Version 3.30.33.11 (cherry-pick)

Merged 377de64246b3c1449f4e2090622ae1e1691e51ae

Make sure backing store pointer in handles get cleared after use in factory.

BUG=442710
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/823583002/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+19, -1 lines):
  M src/factory.cc
  M src/version.cc
  M test/cctest/test-heap.cc


Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index 72974a317c18646800178b4c10340a85b444afcf..19df01a961b46647ed7035f7584141a36e0a4daf 100644 
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1665,6 +1665,7 @@ void Factory::NewJSArrayStorage(Handle<JSArray> array,
     return;
   }

+  HandleScope inner_scope(isolate());
   Handle<FixedArrayBase> elms;
   ElementsKind elements_kind = array->GetElementsKind();
   if (IsFastDoubleElementsKind(elements_kind)) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index e65985abb39a4002d9097e1cbb34b565dac284de..057c7e4d13b97e4144fb2d01e7dfdb543b83a2c6 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     30
 #define BUILD_NUMBER      33
-#define PATCH_LEVEL       10
+#define PATCH_LEVEL       11
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/cctest/test-heap.cc
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index 543a89dcb18990f31d2fc8b94cb5be23b211245b..0d43c06348b0dab99a35e3f22413e921ed0de9bc 100644 
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -4742,6 +4742,23 @@ TEST(Regress3631) {
 }


+TEST(Regress442710) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = isolate->heap();
+  Factory* factory = isolate->factory();
+
+  HandleScope sc(isolate);
+ Handle<GlobalObject> global(CcTest::i_isolate()->context()->global_object()); 
+  Handle<JSArray> array = factory->NewJSArray(2);
+
+  Handle<String> name = factory->InternalizeUtf8String("testArray");
+  JSReceiver::SetProperty(global, name, array, SLOPPY).Check();
+  CompileRun("testArray[0] = 1; testArray[1] = 2; testArray.shift();");
+  heap->CollectGarbage(OLD_POINTER_SPACE);
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
   CcTest::InitializeVM();


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to