Fix GC bug

The patching of the receiver added in r3616 was not GC-safe and could leave a failure object in place of the receiver if allocation of the wrapper JS object failed. Review URL: http://codereview.chromium.org/546068 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3633 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix GC bug
The patching of the receiver added in r3616 was not GC-safe and could leave a failure object in place of the receiver if allocation of the wrapper JS object failed. Review URL: http://codereview.chromium.org/546068 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3633 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
8707b362 · sgjesse@chromium.org · ef0743ab · 8707b362 · 8707b362 · 8707b362
Commit 8707b362 authored Jan 18, 2010 by sgjesse@chromium.org
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

factory.cc src/factory.cc +5 -0

factory.h src/factory.h +1 -0

ic.cc src/ic.cc +3 -3

ic.h src/ic.h +1 -1

No files found.
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -718,6 +718,11 @@ Handle<JSFunction> Factory::NewFunction(Handle<String> name,
 }
+Handle<Object> Factory::ToObject(Handle<Object> object) {
+  CALL_HEAP_FUNCTION(object->ToObject(), Object);
+}
 Handle<Object> Factory::ToObject(Handle<Object> object,
                                 Handle<Context> global_context) {
  CALL_HEAP_FUNCTION(object->ToObject(*global_context), Object);

--- a/src/factory.h
+++ b/src/factory.h
@@ -229,6 +229,7 @@ class Factory : public AllStatic {
  static Handle<Code> CopyCode(Handle<Code> code);
+  static Handle<Object> ToObject(Handle<Object> object);
  static Handle<Object> ToObject(Handle<Object> object,
                                 Handle<Context> global_context);

--- a/src/ic.cc
+++ b/src/ic.cc
@@ -378,7 +378,7 @@ Object* CallIC::TryCallAsFunction(Object* object) {
  return *delegate;
 }
-void CallIC::ReceiverToObject(Object* object) {
+void CallIC::ReceiverToObject(Handle<Object> object) {
  HandleScope scope;
  Handle<Object> receiver(object);
@@ -387,7 +387,7 @@ void CallIC::ReceiverToObject(Object* object) {
  StackFrameLocator locator;
  JavaScriptFrame* frame = locator.FindJavaScriptFrame(0);
  int index = frame->ComputeExpressionsCount() - (argc + 1);
-  frame->SetExpression(index, object->ToObject());
+  frame->SetExpression(index, *Factory::ToObject(object));
 }
@@ -401,7 +401,7 @@ Object* CallIC::LoadFunction(State state,
  }
  if (object->IsString() || object->IsNumber() || object->IsBoolean()) {
-    ReceiverToObject(*object);
+    ReceiverToObject(object);
  }
  // Check if the name is trivially convertible to an index and get

--- a/src/ic.h
+++ b/src/ic.h
@@ -209,7 +209,7 @@ class CallIC: public IC {
  // Otherwise, it returns the undefined value.
  Object* TryCallAsFunction(Object* object);
-  void ReceiverToObject(Object* object);
+  void ReceiverToObject(Handle<Object> object);
  static void Clear(Address address, Code* target);
  friend class IC;