Make sure backing store pointer in handles get cleared after use in factory.

BUG=442710 LOG=n Review URL: https://codereview.chromium.org/813023002 Cr-Commit-Position: refs/heads/master@{#25881}

Make sure backing store pointer in handles get cleared after use in factory.
BUG=442710 LOG=n Review URL: https://codereview.chromium.org/813023002 Cr-Commit-Position: refs/heads/master@{#25881}
377de642 · hpayer · Commit bot · bb65d40d · 377de642 · 377de642
Commit 377de642 authored Dec 18, 2014 by hpayer Committed by Commit bot Dec 18, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

factory.cc src/factory.cc +1 -0

test-heap.cc test/cctest/test-heap.cc +17 -0

No files found.
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1682,6 +1682,7 @@ void Factory::NewJSArrayStorage(Handle<JSArray> array,
    return;
  }

+  HandleScope inner_scope(isolate());
  Handle<FixedArrayBase> elms;
  ElementsKind elements_kind = array->GetElementsKind();
  if (IsFastDoubleElementsKind(elements_kind)) {

--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -5006,6 +5006,23 @@ TEST(Regress3631) {
 }


+TEST(Regress442710) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = isolate->heap();
+  Factory* factory = isolate->factory();
+
+  HandleScope sc(isolate);
+  Handle<GlobalObject> global(CcTest::i_isolate()->context()->global_object());
+  Handle<JSArray> array = factory->NewJSArray(2);
+
+  Handle<String> name = factory->InternalizeUtf8String("testArray");
+  JSReceiver::SetProperty(global, name, array, SLOPPY).Check();
+  CompileRun("testArray[0] = 1; testArray[1] = 2; testArray.shift();");
+  heap->CollectGarbage(OLD_POINTER_SPACE);
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
  CcTest::InitializeVM();