Reviewers: Toon Verwaest,
Description:
Fix non-idempotent modification in JSObject::AddFastProperty.
[email protected]
BUG=mozilla/ecma/Array/15.4.5.2-2
Please review this at https://codereview.chromium.org/15955010/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
e83a32d059d19ee30bbf1a0e4fa27b21ec739452..f45945b4b777767f6d57a9ff4b7e88e13c580a79
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1824,15 +1824,18 @@ MaybeObject* JSObject::AddFastProperty(Name* name,
Heap* heap = isolate->heap();
- Map* new_map;
- MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
- if (!maybe_new_map->To(&new_map)) return maybe_new_map;
-
Object* storage;
MaybeObject* maybe_storage =
value->AllocateNewStorageFor(heap, representation);
if (!maybe_storage->To(&storage)) return maybe_storage;
+ // Note that Map::CopyAddDescriptor has side-effects, the new map is
already
+ // inserted in the transition tree. No more allocations that might fail
are
+ // allowed after this point.
+ Map* new_map;
+ MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
+ if (!maybe_new_map->To(&new_map)) return maybe_new_map;
+
if (map()->unused_property_fields() == 0) {
ASSERT(values != NULL);
set_properties(values);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
