Fix unsafe use of DescriptorWriter across allocation.

DescriptorWriters hold a raw pointer to the descriptor array and they are therefore not GC safe. Review URL: http://codereview.chromium.org/149304 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2384 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix unsafe use of DescriptorWriter across allocation.
DescriptorWriters hold a raw pointer to the descriptor array and they are therefore not GC safe. Review URL: http://codereview.chromium.org/149304 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2384 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
5c896170 · ager@chromium.org · 7eb5fbfc · 5c896170
Commit 5c896170 authored Jul 08, 2009 by ager@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

factory.cc src/factory.cc +11 -6

No files found.
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -570,12 +570,14 @@ Handle<DescriptorArray> Factory::CopyAppendCallbackDescriptors(
  int descriptor_count = 0;

  // Copy the descriptors from the array.
-  DescriptorWriter w(*result);
-  for (DescriptorReader r(*array); !r.eos(); r.advance()) {
-    if (!r.IsNullDescriptor()) {
-      w.WriteFrom(&r);
+  {
+    DescriptorWriter w(*result);
+    for (DescriptorReader r(*array); !r.eos(); r.advance()) {
+      if (!r.IsNullDescriptor()) {
+        w.WriteFrom(&r);
+      }
+      descriptor_count++;
    }
-    descriptor_count++;
  }

  // Number of duplicates detected.
@@ -594,7 +596,10 @@ Handle<DescriptorArray> Factory::CopyAppendCallbackDescriptors(
    if (result->LinearSearch(*key, descriptor_count) ==
        DescriptorArray::kNotFound) {
      CallbacksDescriptor desc(*key, *entry, entry->property_attributes());
-      w.Write(&desc);
+      // We do not use a DescriptorWriter because SymbolFromString can
+      // allocate. A DescriptorWriter holds a raw pointer and is
+      // therefore not GC safe.
+      result->Set(descriptor_count, &desc);
      descriptor_count++;
    } else {
      duplicates++;