Fix three GC unsafe places found by gcmole's dead_vars analysis.

src/objects.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 2215 matching lines @@
 
   // Call trap function.
   Object** args[] = {
       receiver.location(), name.location(), value.location()
   };
   bool has_exception;
   Handle<Object> result =
       Execution::Call(trap, handler, ARRAY_SIZE(args), args, &has_exception);
   if (has_exception) return Failure::Exception();
 
-  return value_raw;
+  return *value;
 }
 
 
 MUST_USE_RESULT PropertyAttributes JSProxy::GetPropertyAttributeWithHandler(
     JSReceiver* receiver_raw,
     String* name_raw,
     bool* has_exception) {
   Isolate* isolate = GetIsolate();
   HandleScope scope;
   Handle<JSReceiver> receiver(receiver_raw);
@@ skipping 811 matching lines @@
       FixedArray* new_elements = NULL;
       if (!maybe_elements->To(&new_elements)) {
         return maybe_elements;
       }
       set_elements(new_elements);
     }
     if (mode == STRICT_DELETION && result == heap->false_value()) {
       // In strict mode, attempting to delete a non-configurable property
       // throws an exception.
       HandleScope scope(isolate);
+      Handle<Object> holder(this);
       Handle<Object> name = isolate->factory()->NewNumberFromUint(index);
-      Handle<Object> args[2] = { name, Handle<Object>(this) };
+      Handle<Object> args[2] = { name, holder };
       Handle<Object> error =
           isolate->factory()->NewTypeError("strict_delete_property",
                                            HandleVector(args, 2));
       return isolate->Throw(*error);
     }
   }
   return heap->true_value();
 }
 
 
@@ skipping 5247 matching lines @@
   int entry = dictionary->FindEntry(index);
   if (entry != NumberDictionary::kNotFound) {
     Object* element = dictionary->ValueAt(entry);
     PropertyDetails details = dictionary->DetailsAt(entry);
     if (details.type() == CALLBACKS) {
       return SetElementWithCallback(element, index, value, this, strict_mode);
     } else {
       dictionary->UpdateMaxNumberKey(index);
       // If put fails in strict mode, throw an exception.
       if (!dictionary->ValueAtPut(entry, value) && strict_mode == kStrictMode) {
+        Handle<Object> holder(this);
         Handle<Object> number = isolate->factory()->NewNumberFromUint(index);
-        Handle<Object> holder(this);
         Handle<Object> args[2] = { number, holder };
         Handle<Object> error =
             isolate->factory()->NewTypeError("strict_read_only_property",
                                              HandleVector(args, 2));
         return isolate->Throw(*error);
       }
     }
   } else {
     // Index not already used. Look for an accessor in the prototype chain.
     if (check_prototype) {
@@ skipping 85 matching lines @@
   // If the value object is not a heap number, switch to fast elements and try
   // again.
   bool value_is_smi = value->IsSmi();
   if (!value->IsNumber()) {
     Object* obj;
     uint32_t length = elms_length;
     if (IsJSArray()) {
       CHECK(JSArray::cast(this)->length()->ToArrayIndex(&length));
     }
     MaybeObject* maybe_obj =
         SetFastElementsCapacityAndLength(elms_length, length);

[Rico, 2011/06/23 19:32:02]

Shouldn't value be in an handle here, SetFastElementsCapacityAndLength can
(actually, always do) allocation. In addition, we return value several places
below where we could potentially have had allocation in between.

[Mads Ager (chromium), 2011/06/23 19:49:30]

SetFastElementsCapacityAndLength does allocate, but it does not cause a GC. If
there is not enough room for the object it will return a failure. In that case
we will return in the line below and retry.

     if (!maybe_obj->ToObject(&obj)) return maybe_obj;
     return SetFastElement(index, value, strict_mode, check_prototype);
   }
 
   double double_value = value_is_smi
       ? static_cast<double>(Smi::cast(value)->value())
       : HeapNumber::cast(value)->value();
 
   // Check whether there is extra space in the fixed array.
   if (index < elms_length) {
@@ skipping 3194 matching lines @@
   if (break_point_objects()->IsUndefined()) return 0;
   // Single beak point.
   if (!break_point_objects()->IsFixedArray()) return 1;
   // Multiple break points.
   return FixedArray::cast(break_point_objects())->length();
 }
 #endif
 
 
 } }  // namespace v8::internal