Fix GC error in ES5 read-only properties implementation.

Review URL: http://codereview.chromium.org/3920005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix GC error in ES5 read-only properties implementation.
Review URL: http://codereview.chromium.org/3920005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
963cc2e4 · erik.corry@gmail.com · 852016c1 · 963cc2e4 · 963cc2e4 · 963cc2e4
Commit 963cc2e4 authored Oct 20, 2010 by erik.corry@gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 62 additions and 5 deletions

handles.cc src/handles.cc +8 -0

handles.h src/handles.h +4 -0

runtime.cc src/runtime.cc +5 -5

define-property-gc.js test/mjsunit/define-property-gc.js +45 -0

No files found.
--- a/src/handles.cc
+++ b/src/handles.cc
@@ -210,6 +210,14 @@ void TransformToFastProperties(Handle<JSObject> object,
 }


+void NumberDictionarySet(Handle<NumberDictionary> dictionary,
+                         uint32_t index,
+                         Handle<Object> value,
+                         PropertyDetails details) {
+  CALL_HEAP_FUNCTION_VOID(dictionary->Set(index, *value, details));
+}
+
+
 void FlattenString(Handle<String> string) {
  CALL_HEAP_FUNCTION_VOID(string->TryFlatten());
 }

--- a/src/handles.h
+++ b/src/handles.h
@@ -193,6 +193,10 @@ void NormalizeProperties(Handle<JSObject> object,
 void NormalizeElements(Handle<JSObject> object);
 void TransformToFastProperties(Handle<JSObject> object,
                               int unused_property_fields);
+void NumberDictionarySet(Handle<NumberDictionary> dictionary,
+                         uint32_t index,
+                         Handle<Object> value,
+                         PropertyDetails details);

 // Flattens a string.
 void FlattenString(Handle<String> str);

--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3538,12 +3538,12 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
  if (((unchecked & (DONT_DELETE | DONT_ENUM | READ_ONLY)) != 0) &&
      is_element) {
    // Normalize the elements to enable attributes on the property.
-    js_object->NormalizeElements();
-    NumberDictionary* dictionary = js_object->element_dictionary();
+    NormalizeElements(js_object);
+    Handle<NumberDictionary> dictionary(js_object->element_dictionary());
    // Make sure that we never go back to fast case.
    dictionary->set_requires_slow_elements();
    PropertyDetails details = PropertyDetails(attr, NORMAL);
-    dictionary->Set(index, *obj_value, details);
+    NumberDictionarySet(dictionary, index, obj_value, details);
  }

  LookupResult result;
@@ -3557,7 +3557,7 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
  // new attributes.
  if (result.IsProperty() && attr != result.GetAttributes()) {
    // New attributes - normalize to avoid writing to instance descriptor
-    js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
+    NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0);
    // Use IgnoreAttributes version since a readonly property may be
    // overridden and SetProperty does not allow this.
    return js_object->IgnoreAttributesAndSetLocalProperty(*name,
@@ -4154,7 +4154,7 @@ static Object* Runtime_ToSlowProperties(Arguments args) {
  Handle<Object> object = args.at<Object>(0);
  if (object->IsJSObject()) {
    Handle<JSObject> js_object = Handle<JSObject>::cast(object);
-    js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
+    NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0);
  }
  return *object;
 }

--- a/test/mjsunit/define-property-gc.js
+++ b/test/mjsunit/define-property-gc.js
+// Copyright 2010 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Tests the handling of GC issues in the defineProperty method.
+// Flags: --max-new-space-size=256
+
+function Regular() {
+  this[0] = 0;
+  this[1] = 1;
+}
+
+
+function foo() {
+  var descElementNonWritable = { value: 'foofoo', writable: false };
+  for (var i = 0; i < 1000; i++) {
+    var regular = new Regular();
+    Object.defineProperty(regular, '1', descElementNonWritable);
+  }
+}
+
+foo();