Fix non-idempotent modification in JSObject::AddFastProperty.

R=verwaest@chromium.org BUG=mozilla/ecma/Array/15.4.5.2-2 Review URL: https://codereview.chromium.org/15955010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix non-idempotent modification in JSObject::AddFastProperty.
R=verwaest@chromium.org BUG=mozilla/ecma/Array/15.4.5.2-2 Review URL: https://codereview.chromium.org/15955010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
b8154d93 · mstarzinger@chromium.org · 3718dae5 · b8154d93
Commit b8154d93 authored May 31, 2013 by mstarzinger@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

objects.cc src/objects.cc +7 -4

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1824,15 +1824,18 @@ MaybeObject* JSObject::AddFastProperty(Name* name,
  Heap* heap = isolate->heap();
-  Map* new_map;
-  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
-  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
  Object* storage;
  MaybeObject* maybe_storage =
      value->AllocateNewStorageFor(heap, representation);
  if (!maybe_storage->To(&storage)) return maybe_storage;
+  // Note that Map::CopyAddDescriptor has side-effects, the new map is already
+  // inserted in the transition tree. No more allocations that might fail are
+  // allowed after this point.
+  Map* new_map;
+  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
+  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
  if (map()->unused_property_fields() == 0) {
    ASSERT(values != NULL);
    set_properties(values);