| Index: src/runtime.cc
|
| ===================================================================
|
| --- src/runtime.cc (revision 5675)
|
| +++ src/runtime.cc (working copy)
|
| @@ -3538,12 +3538,12 @@
|
| if (((unchecked & (DONT_DELETE | DONT_ENUM | READ_ONLY)) != 0) &&
|
| is_element) {
|
| // Normalize the elements to enable attributes on the property.
|
| - js_object->NormalizeElements();
|
| - NumberDictionary* dictionary = js_object->element_dictionary();
|
| + NormalizeElements(js_object);
|
| + Handle<NumberDictionary> dictionary(js_object->element_dictionary());
|
| // Make sure that we never go back to fast case.
|
| dictionary->set_requires_slow_elements();
|
| PropertyDetails details = PropertyDetails(attr, NORMAL);
|
| - dictionary->Set(index, *obj_value, details);
|
| + NumberDictionarySet(dictionary, index, obj_value, details);
|
| }
|
|
|
| LookupResult result;
|
| @@ -3557,7 +3557,7 @@
|
| // new attributes.
|
| if (result.IsProperty() && attr != result.GetAttributes()) {
|
| // New attributes - normalize to avoid writing to instance descriptor
|
| - js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
|
| + NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0);
|
| // Use IgnoreAttributes version since a readonly property may be
|
| // overridden and SetProperty does not allow this.
|
| return js_object->IgnoreAttributesAndSetLocalProperty(*name,
|
| @@ -4154,7 +4154,7 @@
|
| Handle<Object> object = args.at<Object>(0);
|
| if (object->IsJSObject()) {
|
| Handle<JSObject> js_object = Handle<JSObject>::cast(object);
|
| - js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
|
| + NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0);
|
| }
|
| return *object;
|
| }
|
|
|
Chromium Code Reviews
Issue 3920005:
Fix GC error in ES5 read-only properties implementation. (Closed)
Base URL: http://v8.googlecode.com/svn/branches/bleeding_edge/