On Sat, Dec 22, 2012 at 2:27 PM, Stephan Beal <[email protected]> wrote:
> Hi, devs,
>
> i have just found a regression (from "sometime since last summer") in the
> handling of Object destruction. Consider this JS code:
> ...
>
# Fatal error in ../src/objects-inl.h, line 2386
> # CHECK(object->IsJSObject()) failed
> #
>
The worst part is that i verify that Value->IsObject() before attempting
the GetPointerFromInternalField():
ResultType operator()( v8::Handle<v8::Value> const & h ) const
{
if( h.IsEmpty() || ! h->IsObject() ) return NULL;
else
{
void * ext = NULL;
v8::Handle<v8::Value> proto(h);
while( !ext && !proto.IsEmpty() && proto->IsObject() )
{
v8::Local<v8::Object> const & obj( v8::Object::Cast(
*proto ) );
ext = (obj->InternalFieldCount() != InternalFieldCount)
? NULL
: obj->GetPointerFromInternalField(
InternalFieldIndex );
if( ! ext )
{
if( !SearchPrototypeChain ) break;
else proto = obj->GetPrototype();
}
}
return ext ? static_cast<ResultType>(ext) : NULL;
}
}
so this appears to be a genuine bug in v8, in that IsObject() is returning
true, Object::Cast() is functioning (not asserting), but
GetPointerFromInternalField() is triggering a not-an-object assertion.
--
----- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
--
v8-users mailing list
[email protected]
http://groups.google.com/group/v8-users
