http://codereview.chromium.org/6523052/diff/12004/src/ic.cc File src/ic.cc (right):
http://codereview.chromium.org/6523052/diff/12004/src/ic.cc#newcode815 src/ic.cc:815: ReceiverToObjectIfRequired(result, object); I should have caught this earlier: result is a raw pointer and you are using it after this call. This call can allocate which can cause a gc which can move the result. We need the result handlified before calling ReceiverToObjectIfRequired. The same is the case above. http://codereview.chromium.org/6523052/ -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
