Revision: 12666
Author: [email protected]
Date: Fri Oct 5 03:12:08 2012
Log: Merged r12629 into trunk branch.
Restore the descriptor array before returning allocation failure.
BUG=chromium:151750
[email protected]
Review URL: https://codereview.chromium.org/11036057
http://code.google.com/p/v8/source/detail?r=12666
Modified:
/trunk/src/objects.cc
/trunk/src/version.cc
=======================================
--- /trunk/src/objects.cc Fri Oct 5 01:50:56 2012
+++ /trunk/src/objects.cc Fri Oct 5 03:12:08 2012
@@ -1784,8 +1784,11 @@
old_target->SetBackPointer(GetHeap()->undefined_value());
MaybeObject* maybe_failure =
old_target->SetDescriptors(old_descriptors);
+ // Reset the backpointer before returning failure, otherwise the map
ends up
+ // with an undefined backpointer and no descriptors, losing its own
+ // descriptors. Setting the backpointer always succeeds.
+ old_target->SetBackPointer(old_map);
if (maybe_failure->IsFailure()) return maybe_failure;
- old_target->SetBackPointer(old_map);
old_map->set_owns_descriptors(true);
}
=======================================
--- /trunk/src/version.cc Fri Oct 5 01:50:56 2012
+++ /trunk/src/version.cc Fri Oct 5 03:12:08 2012
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 14
#define BUILD_NUMBER 1
-#define PATCH_LEVEL 1
+#define PATCH_LEVEL 2
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
