Reviewers: Toon Verwaest,
Description:
Merged r12629 into trunk branch.
Restore the descriptor array before returning allocation failure.
BUG=chromium:151750
[email protected]
Please review this at https://codereview.chromium.org/11036057/
SVN Base: https://v8.googlecode.com/svn/trunk
Affected files:
M src/objects.cc
M src/version.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
cbef145d971a84c9c601234b0241337b3dae2f2e..c7d4e7d640339a30ba4be4ac3f34ef0bcc5cb10c
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1784,8 +1784,11 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
old_target->SetBackPointer(GetHeap()->undefined_value());
MaybeObject* maybe_failure =
old_target->SetDescriptors(old_descriptors);
- if (maybe_failure->IsFailure()) return maybe_failure;
+ // Reset the backpointer before returning failure, otherwise the map
ends up
+ // with an undefined backpointer and no descriptors, losing its own
+ // descriptors. Setting the backpointer always succeeds.
old_target->SetBackPointer(old_map);
+ if (maybe_failure->IsFailure()) return maybe_failure;
old_map->set_owns_descriptors(true);
}
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
9c9de7ca5d20a2bd5ebbce3b4f6113162e1f8679..f6dba0939c132d45d901767487842b20fc9f3876
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 14
#define BUILD_NUMBER 1
-#define PATCH_LEVEL 1
+#define PATCH_LEVEL 2
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
