[runtime] Fix Object.create(null) initialization order

A GC might cause the just created dictionary object to have an invalid backing store, which breaks heap verification. BUG=chromium:659088 Review-Url: https://codereview.chromium.org/2452653002 Cr-Commit-Position: refs/heads/master@{#40574}

[runtime] Fix Object.create(null) initialization order
A GC might cause the just created dictionary object to have an invalid backing store, which breaks heap verification. BUG=chromium:659088 Review-Url: https://codereview.chromium.org/2452653002 Cr-Commit-Position: refs/heads/master@{#40574}
f5d4f8f8 · cbruni · Commit bot · 9f4f582b · f5d4f8f8
Commit f5d4f8f8 authored Oct 26, 2016 by cbruni Committed by Commit bot Oct 26, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 5 deletions

runtime-object.cc src/runtime/runtime-object.cc +10 -5

No files found.
--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -247,13 +247,18 @@ RUNTIME_FUNCTION(Runtime_ObjectCreate) {
    }
  }

+  bool is_dictionary_map = map->is_dictionary_map();
+  Handle<FixedArray> object_properties;
+  if (is_dictionary_map) {
+    // Allocate the actual properties dictionay up front to avoid invalid object
+    // state.
+    object_properties =
+        NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
+  }
  // Actually allocate the object.
  Handle<JSObject> object = isolate->factory()->NewJSObjectFromMap(map);
-
-  if (map->is_dictionary_map()) {
-    Handle<NameDictionary> properties =
-        NameDictionary::New(isolate, NameDictionary::kInitialCapacity);
-    object->set_properties(*properties);
+  if (is_dictionary_map) {
+    object->set_properties(*object_properties);
  }

  // Define the properties if properties was specified and is not undefined.