Status: Accepted
Owner: [email protected]
CC: [email protected], [email protected]
Labels: Type-Bug Priority-Medium Harmony
New issue 2219 by [email protected]: Harmony Proxy traps are not
GC-safe
http://code.google.com/p/v8/issues/detail?id=2219
The Harmony traps can have arbitrary side effects that might trigger GCs.
Unfortunately the calliing code (i.e. SetProperty) is unhandlified and
reuses direct pointers after the trap returns. The following is a short
repro.
// Flags: --harmony-proxies --expose-gc
var p = Proxy.create({getPropertyDescriptor: function() { gc() }});
var o = Object.create(p);
assertSame(23, o.x = 23);
This is currently causing flaky crashes on our non-snapshot release-mode
builder and can be reproduced with mjsunit/harmony/proxies. Thanks to
Sanjoy for catching this in GDB.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
