| OLD | NEW |
|---|
| 1 // Copyright 2006-2008 the V8 project authors. All rights reserved. | 1 // Copyright 2006-2008 the V8 project authors. All rights reserved. |
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
| 4 // met: | 4 // met: |
| 5 // | 5 // |
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
| (...skipping 552 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 563 Handle<Object> descriptors) { | 563 Handle<Object> descriptors) { |
| 564 v8::NeanderArray callbacks(descriptors); | 564 v8::NeanderArray callbacks(descriptors); |
| 565 int nof_callbacks = callbacks.length(); | 565 int nof_callbacks = callbacks.length(); |
| 566 Handle<DescriptorArray> result = | 566 Handle<DescriptorArray> result = |
| 567 NewDescriptorArray(array->number_of_descriptors() + nof_callbacks); | 567 NewDescriptorArray(array->number_of_descriptors() + nof_callbacks); |
| 568 | 568 |
| 569 // Number of descriptors added to the result so far. | 569 // Number of descriptors added to the result so far. |
| 570 int descriptor_count = 0; | 570 int descriptor_count = 0; |
| 571 | 571 |
| 572 // Copy the descriptors from the array. | 572 // Copy the descriptors from the array. |
| 573 DescriptorWriter w(*result); | 573 { |
| 574 for (DescriptorReader r(*array); !r.eos(); r.advance()) { | 574 DescriptorWriter w(*result); |
| 575 if (!r.IsNullDescriptor()) { | 575 for (DescriptorReader r(*array); !r.eos(); r.advance()) { |
| 576 w.WriteFrom(&r); | 576 if (!r.IsNullDescriptor()) { |
| 577 w.WriteFrom(&r); |
| 578 } |
| 579 descriptor_count++; |
| 577 } | 580 } |
| 578 descriptor_count++; | |
| 579 } | 581 } |
| 580 | 582 |
| 581 // Number of duplicates detected. | 583 // Number of duplicates detected. |
| 582 int duplicates = 0; | 584 int duplicates = 0; |
| 583 | 585 |
| 584 // Fill in new callback descriptors. Process the callbacks from | 586 // Fill in new callback descriptors. Process the callbacks from |
| 585 // back to front so that the last callback with a given name takes | 587 // back to front so that the last callback with a given name takes |
| 586 // precedence over previously added callbacks with that name. | 588 // precedence over previously added callbacks with that name. |
| 587 for (int i = nof_callbacks - 1; i >= 0; i--) { | 589 for (int i = nof_callbacks - 1; i >= 0; i--) { |
| 588 Handle<AccessorInfo> entry = | 590 Handle<AccessorInfo> entry = |
| 589 Handle<AccessorInfo>(AccessorInfo::cast(callbacks.get(i))); | 591 Handle<AccessorInfo>(AccessorInfo::cast(callbacks.get(i))); |
| 590 // Ensure the key is a symbol before writing into the instance descriptor. | 592 // Ensure the key is a symbol before writing into the instance descriptor. |
| 591 Handle<String> key = | 593 Handle<String> key = |
| 592 SymbolFromString(Handle<String>(String::cast(entry->name()))); | 594 SymbolFromString(Handle<String>(String::cast(entry->name()))); |
| 593 // Check if a descriptor with this name already exists before writing. | 595 // Check if a descriptor with this name already exists before writing. |
| 594 if (result->LinearSearch(*key, descriptor_count) == | 596 if (result->LinearSearch(*key, descriptor_count) == |
| 595 DescriptorArray::kNotFound) { | 597 DescriptorArray::kNotFound) { |
| 596 CallbacksDescriptor desc(*key, *entry, entry->property_attributes()); | 598 CallbacksDescriptor desc(*key, *entry, entry->property_attributes()); |
| 597 w.Write(&desc); | 599 // We do not use a DescriptorWriter because SymbolFromString can |
| 600 // allocate. A DescriptorWriter holds a raw pointer and is |
| 601 // therefore not GC safe. |
| 602 result->Set(descriptor_count, &desc); |
| 598 descriptor_count++; | 603 descriptor_count++; |
| 599 } else { | 604 } else { |
| 600 duplicates++; | 605 duplicates++; |
| 601 } | 606 } |
| 602 } | 607 } |
| 603 | 608 |
| 604 // If duplicates were detected, allocate a result of the right size | 609 // If duplicates were detected, allocate a result of the right size |
| 605 // and transfer the elements. | 610 // and transfer the elements. |
| 606 if (duplicates > 0) { | 611 if (duplicates > 0) { |
| 607 Handle<DescriptorArray> new_result = | 612 Handle<DescriptorArray> new_result = |
| (...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 919 Execution::ConfigureInstance(instance, | 924 Execution::ConfigureInstance(instance, |
| 920 instance_template, | 925 instance_template, |
| 921 pending_exception); | 926 pending_exception); |
| 922 } else { | 927 } else { |
| 923 *pending_exception = false; | 928 *pending_exception = false; |
| 924 } | 929 } |
| 925 } | 930 } |
| 926 | 931 |
| 927 | 932 |
| 928 } } // namespace v8::internal | 933 } } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 149304:
Fix unsafe use of DescriptorWriter across allocation.... (Closed)
Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/