Revision: 10810
Author: [email protected]
Date: Thu Feb 23 04:12:28 2012
Log: When redefining accessor properties, defensively copy
AccessorPairs.
The previous code relied on the tricky global invariant that there is no map
sharing when accessor properties are involved (or in other words: that
TransformToFastProperties is dumb enough :-). Although this is not a real
problem with the current code, this assumption breaks when map sharing in
fast
mode is enabled, so we defensively copy an AccessorPair.
Review URL: https://chromiumcodereview.appspot.com/9430048
http://code.google.com/p/v8/source/detail?r=10810
Modified:
/branches/bleeding_edge/src/objects.cc
=======================================
--- /branches/bleeding_edge/src/objects.cc Thu Feb 23 03:43:07 2012
+++ /branches/bleeding_edge/src/objects.cc Thu Feb 23 04:12:28 2012
@@ -4471,9 +4471,14 @@
Object* obj = result.GetCallbackObject();
// Need to preserve old getters/setters.
if (obj->IsAccessorPair()) {
- AccessorPair::cast(obj)->set(is_getter, fun);
+ AccessorPair* copy;
+ { MaybeObject* maybe_copy =
+ AccessorPair::cast(obj)->CopyWithoutTransitions();
+ if (!maybe_copy->To(©)) return maybe_copy;
+ }
+ copy->set(is_getter, fun);
// Use set to update attributes.
- { MaybeObject* maybe_ok = SetPropertyCallback(name, obj,
attributes);
+ { MaybeObject* maybe_ok = SetPropertyCallback(name, copy,
attributes);
if (maybe_ok->IsFailure()) return maybe_ok;
}
return GetHeap()->undefined_value();
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
