| Index: src/ic.cc
|
| ===================================================================
|
| --- src/ic.cc (revision 2430)
|
| +++ src/ic.cc (working copy)
|
| @@ -38,6 +38,17 @@
|
| namespace v8 {
|
| namespace internal {
|
|
|
| +// Temporary helper for working around http://crbug.com/16276. If we
|
| +// allow 'the hole value' to leak into the IC code, it may lead to
|
| +// crashes, but this should not happen and we should track down the
|
| +// cause of it.
|
| +static inline Handle<Object> UnholeForBug16276(Handle<Object> object) {
|
| + if (!object->IsTheHole()) return object;
|
| + ASSERT(false); // This should not happen.
|
| + return Factory::undefined_value();
|
| +}
|
| +
|
| +
|
| #ifdef DEBUG
|
| static char TransitionMarkFromState(IC::State state) {
|
| switch (state) {
|
| @@ -321,19 +332,19 @@
|
| Object* CallIC::LoadFunction(State state,
|
| Handle<Object> object,
|
| Handle<String> name) {
|
| + object = UnholeForBug16276(object);
|
| +
|
| // If the object is undefined or null it's illegal to try to get any
|
| // of its properties; throw a TypeError in that case.
|
| if (object->IsUndefined() || object->IsNull()) {
|
| return TypeError("non_object_property_call", object, name);
|
| }
|
|
|
| - Object* result = Heap::the_hole_value();
|
| -
|
| // Check if the name is trivially convertible to an index and get
|
| // the element if so.
|
| uint32_t index;
|
| if (name->AsArrayIndex(&index)) {
|
| - result = object->GetElement(index);
|
| + Object* result = object->GetElement(index);
|
| if (result->IsJSFunction()) return result;
|
|
|
| // Try to find a suitable function delegate for the object at hand.
|
| @@ -363,7 +374,7 @@
|
|
|
| // Get the property.
|
| PropertyAttributes attr;
|
| - result = object->GetProperty(*object, &lookup, *name, &attr);
|
| + Object* result = object->GetProperty(*object, &lookup, *name, &attr);
|
| if (result->IsFailure()) return result;
|
| if (lookup.type() == INTERCEPTOR) {
|
| // If the object does not have the requested property, check which
|
| @@ -376,7 +387,7 @@
|
| }
|
| }
|
|
|
| - ASSERT(result != Heap::the_hole_value());
|
| + ASSERT(!result->IsTheHole());
|
|
|
| if (result->IsJSFunction()) {
|
| // Check if there is an optimized (builtin) version of the function.
|
| @@ -507,6 +518,8 @@
|
|
|
|
|
| Object* LoadIC::Load(State state, Handle<Object> object, Handle<String> name) {
|
| + object = UnholeForBug16276(object);
|
| +
|
| // If the object is undefined or null it's illegal to try to get any
|
| // of its properties; throw a TypeError in that case.
|
| if (object->IsUndefined() || object->IsNull()) {
|
| @@ -719,6 +732,8 @@
|
| Object* KeyedLoadIC::Load(State state,
|
| Handle<Object> object,
|
| Handle<Object> key) {
|
| + object = UnholeForBug16276(object);
|
| +
|
| if (key->IsSymbol()) {
|
| Handle<String> name = Handle<String>::cast(key);
|
|
|
| @@ -944,6 +959,8 @@
|
| Handle<Object> object,
|
| Handle<String> name,
|
| Handle<Object> value) {
|
| + object = UnholeForBug16276(object);
|
| +
|
| // If the object is undefined or null it's illegal to try to set any
|
| // properties on it; throw a TypeError in that case.
|
| if (object->IsUndefined() || object->IsNull()) {
|
| @@ -1062,11 +1079,13 @@
|
| Handle<Object> object,
|
| Handle<Object> key,
|
| Handle<Object> value) {
|
| + object = UnholeForBug16276(object);
|
| +
|
| if (key->IsSymbol()) {
|
| Handle<String> name = Handle<String>::cast(key);
|
|
|
| - // If the object is undefined or null it's illegal to try to set any
|
| - // properties on it; throw a TypeError in that case.
|
| + // If the object is undefined or null it's illegal to try to set
|
| + // any properties on it; throw a TypeError in that case.
|
| if (object->IsUndefined() || object->IsNull()) {
|
| return TypeError("non_object_property_store", object, name);
|
| }
|
|
|
Chromium Code Reviews
Issue 149521:
Try to work around http://crbug.com/16276 until we can... (Closed)
Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/