When redefining accessor properties, defensively copy AccessorPairs.

The previous code relied on the tricky global invariant that there is no map
sharing when accessor properties are involved (or in other words: that
TransformToFastProperties is dumb enough :-). Although this is not a real
problem with the current code, this assumption breaks when map sharing in fast
mode is enabled, so we defensively copy an AccessorPair.

Review URL: https://chromiumcodereview.appspot.com/9430048

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10810 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent fbc230e4
...@@ -4471,9 +4471,14 @@ MaybeObject* JSObject::DefinePropertyAccessor(String* name, ...@@ -4471,9 +4471,14 @@ MaybeObject* JSObject::DefinePropertyAccessor(String* name,
Object* obj = result.GetCallbackObject(); Object* obj = result.GetCallbackObject();
// Need to preserve old getters/setters. // Need to preserve old getters/setters.
if (obj->IsAccessorPair()) { if (obj->IsAccessorPair()) {
AccessorPair::cast(obj)->set(is_getter, fun); AccessorPair* copy;
{ MaybeObject* maybe_copy =
AccessorPair::cast(obj)->CopyWithoutTransitions();
if (!maybe_copy->To(&copy)) return maybe_copy;
}
copy->set(is_getter, fun);
// Use set to update attributes. // Use set to update attributes.
{ MaybeObject* maybe_ok = SetPropertyCallback(name, obj, attributes); { MaybeObject* maybe_ok = SetPropertyCallback(name, copy, attributes);
if (maybe_ok->IsFailure()) return maybe_ok; if (maybe_ok->IsFailure()) return maybe_ok;
} }
return GetHeap()->undefined_value(); return GetHeap()->undefined_value();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment