Revision: 3633 Author: [email protected] Date: Mon Jan 18 06:13:58 2010 Log: Fix GC bug
The patching of the receiver added in r3616 was not GC-safe and could leave a failure object in place of the receiver if allocation of the wrapper JS object failed.
Review URL: http://codereview.chromium.org/546068 http://code.google.com/p/v8/source/detail?r=3633 Modified: /branches/bleeding_edge/src/factory.cc /branches/bleeding_edge/src/factory.h /branches/bleeding_edge/src/ic.cc /branches/bleeding_edge/src/ic.h ======================================= --- /branches/bleeding_edge/src/factory.cc Fri Jan 15 04:25:24 2010 +++ /branches/bleeding_edge/src/factory.cc Mon Jan 18 06:13:58 2010 @@ -716,6 +716,11 @@ fun->set_context(Top::context()->global_context()); return fun; } + + +Handle<Object> Factory::ToObject(Handle<Object> object) { + CALL_HEAP_FUNCTION(object->ToObject(), Object); +} Handle<Object> Factory::ToObject(Handle<Object> object, ======================================= --- /branches/bleeding_edge/src/factory.h Wed Dec 16 07:43:20 2009 +++ /branches/bleeding_edge/src/factory.h Mon Jan 18 06:13:58 2010 @@ -229,6 +229,7 @@ static Handle<Code> CopyCode(Handle<Code> code); + static Handle<Object> ToObject(Handle<Object> object); static Handle<Object> ToObject(Handle<Object> object, Handle<Context> global_context); ======================================= --- /branches/bleeding_edge/src/ic.cc Fri Jan 15 05:42:32 2010 +++ /branches/bleeding_edge/src/ic.cc Mon Jan 18 06:13:58 2010 @@ -378,7 +378,7 @@ return *delegate; } -void CallIC::ReceiverToObject(Object* object) { +void CallIC::ReceiverToObject(Handle<Object> object) { HandleScope scope; Handle<Object> receiver(object); @@ -387,7 +387,7 @@ StackFrameLocator locator; JavaScriptFrame* frame = locator.FindJavaScriptFrame(0); int index = frame->ComputeExpressionsCount() - (argc + 1); - frame->SetExpression(index, object->ToObject()); + frame->SetExpression(index, *Factory::ToObject(object)); } @@ -401,7 +401,7 @@ } if (object->IsString() || object->IsNumber() || object->IsBoolean()) { - ReceiverToObject(*object); + ReceiverToObject(object); } // Check if the name is trivially convertible to an index and get ======================================= --- /branches/bleeding_edge/src/ic.h Fri Jan 15 05:42:32 2010 +++ /branches/bleeding_edge/src/ic.h Mon Jan 18 06:13:58 2010 @@ -209,7 +209,7 @@ // Otherwise, it returns the undefined value. Object* TryCallAsFunction(Object* object); - void ReceiverToObject(Object* object); + void ReceiverToObject(Handle<Object> object); static void Clear(Address address, Code* target); friend class IC;
-- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
