| OLD | NEW |
|---|
| 1 // Copyright 2006-2009 the V8 project authors. All rights reserved. | 1 // Copyright 2006-2009 the V8 project authors. All rights reserved. |
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
| 4 // met: | 4 // met: |
| 5 // | 5 // |
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
| (...skipping 449 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 460 | 460 |
| 461 | 461 |
| 462 Object* JSObject::DeleteNormalizedProperty(String* name, DeleteMode mode) { | 462 Object* JSObject::DeleteNormalizedProperty(String* name, DeleteMode mode) { |
| 463 ASSERT(!HasFastProperties()); | 463 ASSERT(!HasFastProperties()); |
| 464 StringDictionary* dictionary = property_dictionary(); | 464 StringDictionary* dictionary = property_dictionary(); |
| 465 int entry = dictionary->FindEntry(name); | 465 int entry = dictionary->FindEntry(name); |
| 466 if (entry != StringDictionary::kNotFound) { | 466 if (entry != StringDictionary::kNotFound) { |
| 467 // If we have a global object set the cell to the hole. | 467 // If we have a global object set the cell to the hole. |
| 468 if (IsGlobalObject()) { | 468 if (IsGlobalObject()) { |
| 469 PropertyDetails details = dictionary->DetailsAt(entry); | 469 PropertyDetails details = dictionary->DetailsAt(entry); |
| 470 if (details.IsDontDelete() && mode != FORCE_DELETION) { | 470 if (details.IsDontDelete()) { |
| 471 return Heap::false_value(); | 471 if (mode != FORCE_DELETION) return Heap::false_value(); |
| 472 // When forced to delete global properties, we have to make a |
| 473 // map change to invalidate any ICs that think they can load |
| 474 // from the DontDelete cell without checking if it contains |
| 475 // the hole value. |
| 476 Object* new_map = map()->CopyDropDescriptors(); |
| 477 if (new_map->IsFailure()) return new_map; |
| 478 set_map(Map::cast(new_map)); |
| 472 } | 479 } |
| 473 JSGlobalPropertyCell* cell = | 480 JSGlobalPropertyCell* cell = |
| 474 JSGlobalPropertyCell::cast(dictionary->ValueAt(entry)); | 481 JSGlobalPropertyCell::cast(dictionary->ValueAt(entry)); |
| 475 cell->set_value(Heap::the_hole_value()); | 482 cell->set_value(Heap::the_hole_value()); |
| 476 dictionary->DetailsAtPut(entry, details.AsDeleted()); | 483 dictionary->DetailsAtPut(entry, details.AsDeleted()); |
| 477 } else { | 484 } else { |
| 478 return dictionary->DeleteProperty(entry, mode); | 485 return dictionary->DeleteProperty(entry, mode); |
| 479 } | 486 } |
| 480 } | 487 } |
| 481 return Heap::true_value(); | 488 return Heap::true_value(); |
| (...skipping 1443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1925 attributes); | 1932 attributes); |
| 1926 } | 1933 } |
| 1927 | 1934 |
| 1928 // Check for accessor in prototype chain removed here in clone. | 1935 // Check for accessor in prototype chain removed here in clone. |
| 1929 if (result->IsNotFound()) { | 1936 if (result->IsNotFound()) { |
| 1930 return AddProperty(name, value, attributes); | 1937 return AddProperty(name, value, attributes); |
| 1931 } | 1938 } |
| 1932 if (!result->IsLoaded()) { | 1939 if (!result->IsLoaded()) { |
| 1933 return SetLazyProperty(result, name, value, attributes); | 1940 return SetLazyProperty(result, name, value, attributes); |
| 1934 } | 1941 } |
| 1935 // Check of IsReadOnly removed from here in clone. | 1942 // Check of IsReadOnly removed from here in clone. |
| 1936 switch (result->type()) { | 1943 switch (result->type()) { |
| 1937 case NORMAL: | 1944 case NORMAL: |
| 1938 return SetNormalizedProperty(result, value); | 1945 return SetNormalizedProperty(result, value); |
| 1939 case FIELD: | 1946 case FIELD: |
| 1940 return FastPropertyAtPut(result->GetFieldIndex(), value); | 1947 return FastPropertyAtPut(result->GetFieldIndex(), value); |
| 1941 case MAP_TRANSITION: | 1948 case MAP_TRANSITION: |
| 1942 if (attributes == result->GetAttributes()) { | 1949 if (attributes == result->GetAttributes()) { |
| 1943 // Only use map transition if the attributes match. | 1950 // Only use map transition if the attributes match. |
| 1944 return AddFastPropertyUsingMap(result->GetTransitionMap(), | 1951 return AddFastPropertyUsingMap(result->GetTransitionMap(), |
| 1945 name, | 1952 name, |
| (...skipping 5764 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7710 if (break_point_objects()->IsUndefined()) return 0; | 7717 if (break_point_objects()->IsUndefined()) return 0; |
| 7711 // Single beak point. | 7718 // Single beak point. |
| 7712 if (!break_point_objects()->IsFixedArray()) return 1; | 7719 if (!break_point_objects()->IsFixedArray()) return 1; |
| 7713 // Multiple break points. | 7720 // Multiple break points. |
| 7714 return FixedArray::cast(break_point_objects())->length(); | 7721 return FixedArray::cast(break_point_objects())->length(); |
| 7715 } | 7722 } |
| 7716 #endif | 7723 #endif |
| 7717 | 7724 |
| 7718 | 7725 |
| 7719 } } // namespace v8::internal | 7726 } } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 149322:
Fix crash that occurs when we're forced to delete a global... (Closed)
Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/