Status: New
Owner: ----
CC: [email protected], [email protected]
Labels: Type-Bug Priority-Medium
New issue 1502 by [email protected]: Weak callbacks can break
assumptions in optimized code
http://code.google.com/p/v8/issues/detail?id=1502
Here's an example of an API test that corrupts the heap:
void ChangingStuffCallback(v8::Persistent<v8::Value> handle, void*) {
v8::HandleScope scope;
v8::Handle<v8::Object> obj =
v8::Context::GetCurrent()->Global()->Get(v8_str("obj")).As<v8::Object>();
obj->Delete(v8_str("foo"));
handle.Dispose();
}
TEST(WeakCallbackChangingStuff) {
i::FLAG_allow_natives_syntax = true;
v8::HandleScope scope;
LocalContext env;
// Create an object with an inobject property "foo".
v8::Local<v8::Object> obj = CompileRun("({foo: 0})").As<v8::Object>();
env->Global()->Set(v8_str("obj"), obj);
// Create a function storing to the property. Note, HCheckMap(obj)
// is hoisted out of the loop containing allocation.
CompileRun("function test() {"
" for (var i = 0; i < 1000; ++i) {"
" obj.foo = i / 1000;"
" }"
"}"
"test(); test();"
"%OptimizeFunctionOnNextCall(test);");
// Create a garbage object with a weak callback changing the map of
// the object above.
v8::Persistent<v8::Object> weak_handle;
{ v8::HandleScope temp_scope;
v8::Local<v8::Object> garbage = v8::Object::New();
weak_handle = v8::Persistent<v8::Object>::New(garbage);
weak_handle.MakeWeak(NULL, &ChangingStuffCallback);
weak_handle.MarkIndependent();
}
CompileRun("for (var i = 0; i < 100; ++i) test();");
}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
