Fix ASSERT violation when BinaryOpIC::Transition recurses into itself

BUG=chromium:352586
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/201313002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20000 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 6a4a934d
......@@ -2404,8 +2404,11 @@ MaybeObject* BinaryOpIC::Transition(Handle<AllocationSite> allocation_site,
isolate(), function, left, 1, &right, &caught_exception);
if (caught_exception) return Failure::Exception();
// Execution::Call can execute arbitrary JavaScript, hence potentially
// update the state of this very IC, so we must update the stored state.
UpdateTarget();
// Compute the new state.
State old_state = state;
State old_state(target()->extra_ic_state());
state.Update(left, right, result);
// Check if we have a string operation here.
......
......@@ -247,6 +247,11 @@ class IC {
extra_ic_state_ = state;
}
protected:
void UpdateTarget() {
target_ = handle(raw_target(), isolate_);
}
private:
Code* raw_target() const {
return GetTargetAtAddress(address(), constant_pool());
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var a = {};
function getter() {
do {
return a + 1;
} while (false);
}
a.__proto__ = Error("");
a.__defineGetter__('message', getter);
a.message;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment