[v8-dev] Merged r14902 into trunk branch. (issue 16256002)

Fri, 31 May 2013 06:15:50 -0700 

Reviewers: rossberg,

Description:
Merged r14902 into trunk branch.

Fix non-idempotent modification in JSObject::AddFastProperty.

[email protected]
TEST=mozilla/ecma/Array/15.4.5.2-2

Please review this at https://codereview.chromium.org/16256002/

SVN Base: https://v8.googlecode.com/svn/trunk

Affected files:
  M src/objects.cc
  M src/version.cc


Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index e83a32d059d19ee30bbf1a0e4fa27b21ec739452..f45945b4b777767f6d57a9ff4b7e88e13c580a79 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1824,15 +1824,18 @@ MaybeObject* JSObject::AddFastProperty(Name* name,

   Heap* heap = isolate->heap();

-  Map* new_map;
-  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
-  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
-
   Object* storage;
   MaybeObject* maybe_storage =
       value->AllocateNewStorageFor(heap, representation);
   if (!maybe_storage->To(&storage)) return maybe_storage;
+ // Note that Map::CopyAddDescriptor has side-effects, the new map is already + // inserted in the transition tree. No more allocations that might fail are 
+  // allowed after this point.
+  Map* new_map;
+  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
+  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
+
   if (map()->unused_property_fields() == 0) {
     ASSERT(values != NULL);
     set_properties(values);
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index 7cd381f48760c172fab3e2df1e4e208d2a205693..54a547f1abf280ffc731ec69cd4f1ca6b2349f67 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     19
 #define BUILD_NUMBER      7
-#define PATCH_LEVEL       0
+#define PATCH_LEVEL       1
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to