Fix use of raw object in JSSegmentIterator

Fix JSSegmentIterator::Create getting the unicode string as a raw object pointer and then performing memory allocation which then invalidates it. This changes SetTextToBreakIterator to return a handle instead. Bug: v8:6891 Change-Id: I57e175b31e78a074a0b3c5a8fc26b4af05b4a752 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1667409 Commit-Queue: Dan Elphick <delphick@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Auto-Submit: Dan Elphick <delphick@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62287}

Fix use of raw object in JSSegmentIterator
Fix JSSegmentIterator::Create getting the unicode string as a raw object pointer and then performing memory allocation which then invalidates it. This changes SetTextToBreakIterator to return a handle instead. Bug: v8:6891 Change-Id: I57e175b31e78a074a0b3c5a8fc26b4af05b4a752 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1667409 Commit-Queue: Dan Elphick <delphick@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Auto-Submit: Dan Elphick <delphick@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#62287}
66865057 · Dan Elphick · Commit Bot · 82bc7d1a · 66865057 · 66865057
Commit 66865057 authored Jun 19, 2019 by Dan Elphick Committed by Commit Bot Jun 19, 2019
4 changed files
--- a/src/objects/intl-objects.cc
+++ b/src/objects/intl-objects.cc
@@ -1659,7 +1659,7 @@ Intl::ResolvedLocale Intl::ResolveLocale(
  return Intl::ResolvedLocale{canonicalized_locale, icu_locale, extensions};
 }

-Managed<icu::UnicodeString> Intl::SetTextToBreakIterator(
+Handle<Managed<icu::UnicodeString>> Intl::SetTextToBreakIterator(
    Isolate* isolate, Handle<String> text, icu::BreakIterator* break_iterator) {
  text = String::Flatten(isolate, text);
  icu::UnicodeString* u_text =
@@ -1669,7 +1669,7 @@ Managed<icu::UnicodeString> Intl::SetTextToBreakIterator(
      Managed<icu::UnicodeString>::FromRawPtr(isolate, 0, u_text);

  break_iterator->setText(*u_text);
-  return *new_u_text;
+  return new_u_text;
 }

 // ecma262 #sec-string.prototype.normalize

--- a/src/objects/intl-objects.h
+++ b/src/objects/intl-objects.h
@@ -304,7 +304,7 @@ class Intl {
  };

  // Utility function to set text to BreakIterator.
-  static Managed<icu::UnicodeString> SetTextToBreakIterator(
+  static Handle<Managed<icu::UnicodeString>> SetTextToBreakIterator(
      Isolate* isolate, Handle<String> text,
      icu::BreakIterator* break_iterator);


--- a/src/objects/js-break-iterator.cc
+++ b/src/objects/js-break-iterator.cc
@@ -131,9 +131,9 @@ void JSV8BreakIterator::AdoptText(
  icu::BreakIterator* break_iterator =
      break_iterator_holder->break_iterator().raw();
  CHECK_NOT_NULL(break_iterator);
-  Managed<icu::UnicodeString> unicode_string =
+  Handle<Managed<icu::UnicodeString>> unicode_string =
      Intl::SetTextToBreakIterator(isolate, text, break_iterator);
-  break_iterator_holder->set_unicode_string(unicode_string);
+  break_iterator_holder->set_unicode_string(*unicode_string);
 }

 Handle<String> JSV8BreakIterator::TypeAsString() const {

--- a/src/objects/js-segment-iterator.cc
+++ b/src/objects/js-segment-iterator.cc
@@ -52,7 +52,7 @@ MaybeHandle<JSSegmentIterator> JSSegmentIterator::Create(

  Handle<Managed<icu::BreakIterator>> managed_break_iterator =
      Managed<icu::BreakIterator>::FromRawPtr(isolate, 0, break_iterator);
-  Managed<icu::UnicodeString> unicode_string =
+  Handle<Managed<icu::UnicodeString>> unicode_string =
      Intl::SetTextToBreakIterator(isolate, text, break_iterator);

  // Now all properties are ready, so we can allocate the result object.
@@ -67,7 +67,7 @@ MaybeHandle<JSSegmentIterator> JSSegmentIterator::Create(
  segment_iterator->set_icu_break_iterator(*managed_break_iterator);

  // 3. Let iterator.[[SegmentIteratorString]] be string.
-  segment_iterator->set_unicode_string(unicode_string);
+  segment_iterator->set_unicode_string(*unicode_string);

  // 4. Let iterator.[[SegmentIteratorIndex]] be 0.
  // step 4 is stored inside break_iterator.