Reviewers: ulan,
Message:
Committed patchset #1 manually as r21434 (presubmit successful).
Description:
ClearTypeFeedbackInfo(): context may not be initialized.
SharedFunctionInfo::ClearTypeFeedbackInfo() wants to compare feedback
to the array JSFunction, but it's called at times when the context
isn't fully initialized. Be cautious about this check.
[email protected]
Committed: https://code.google.com/p/v8/source/detail?r=21434
Please review this at https://codereview.chromium.org/298983002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+12, -3 lines):
M src/objects.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
a1b03eef63d44897d8ad59fd35e7ea5d0f18fa3a..ddeaacd6b44011e6bd1cfd8ee12e377fa154adc7
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11245,10 +11245,19 @@ void Code::ClearInlineCaches(Code::Kind* kind) {
void SharedFunctionInfo::ClearTypeFeedbackInfo() {
FixedArray* vector = feedback_vector();
Heap* heap = GetHeap();
+ JSFunction* array_function = NULL;
+
+ // Clearing type feedback can be called when the contexts are still being
+ // set up so caution is required.
Context* context = GetIsolate()->context();
- JSFunction* array_function = context != NULL
- ? context->native_context()->array_function()
- : NULL;
+ if (context != NULL) {
+ Context* native_context = context->native_context();
+ Object* candidate = native_context->get(Context::ARRAY_FUNCTION_INDEX);
+ if (candidate->IsJSFunction()) {
+ array_function = JSFunction::cast(candidate);
+ }
+ }
+
int length = vector->length();
for (int i = 0; i < length; i++) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
