| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
| 4 // met: | 4 // met: |
| 5 // | 5 // |
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
| (...skipping 1472 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1483 set_properties(new_properties); | 1483 set_properties(new_properties); |
| 1484 } | 1484 } |
| 1485 set_map(map); | 1485 set_map(map); |
| 1486 return this; | 1486 return this; |
| 1487 } | 1487 } |
| 1488 | 1488 |
| 1489 | 1489 |
| 1490 bool JSObject::TryTransitionToField(Handle<JSObject> object, | 1490 bool JSObject::TryTransitionToField(Handle<JSObject> object, |
| 1491 Handle<Name> key) { | 1491 Handle<Name> key) { |
| 1492 if (!object->map()->HasTransitionArray()) return false; | 1492 if (!object->map()->HasTransitionArray()) return false; |
| 1493 Handle<TransitionArray> transitions(object->map()->transitions()); | 1493 TransitionArray* transitions = object->map()->transitions(); |
| 1494 int transition = transitions->Search(*key); | 1494 int transition = transitions->Search(*key); |
| 1495 if (transition == TransitionArray::kNotFound) return false; | 1495 if (transition == TransitionArray::kNotFound) return false; |
| 1496 PropertyDetails target_details = transitions->GetTargetDetails(transition); | 1496 PropertyDetails target_details = transitions->GetTargetDetails(transition); |
| 1497 if (target_details.type() != FIELD) return false; | 1497 if (target_details.type() != FIELD) return false; |
| 1498 if (target_details.attributes() != NONE) return false; | 1498 if (target_details.attributes() != NONE) return false; |
| 1499 Handle<Map> target(transitions->GetTarget(transition)); | 1499 Handle<Map> target(transitions->GetTarget(transition)); |
| 1500 JSObject::AddFastPropertyUsingMap(object, target); | 1500 JSObject::AddFastPropertyUsingMap(object, target); |
| 1501 return true; | 1501 return true; |
| 1502 } | 1502 } |
| 1503 | 1503 |
| (...skipping 2617 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4121 | 4121 |
| 4122 TransitionArray* Map::transitions() { | 4122 TransitionArray* Map::transitions() { |
| 4123 ASSERT(HasTransitionArray()); | 4123 ASSERT(HasTransitionArray()); |
| 4124 Object* object = READ_FIELD(this, kTransitionsOrBackPointerOffset); | 4124 Object* object = READ_FIELD(this, kTransitionsOrBackPointerOffset); |
| 4125 return TransitionArray::cast(object); | 4125 return TransitionArray::cast(object); |
| 4126 } | 4126 } |
| 4127 | 4127 |
| 4128 | 4128 |
| 4129 void Map::set_transitions(TransitionArray* transition_array, | 4129 void Map::set_transitions(TransitionArray* transition_array, |
| 4130 WriteBarrierMode mode) { | 4130 WriteBarrierMode mode) { |
| 4131 // In release mode, only run this code if verify_heap is on. | 4131 // Transition arrays are not shared. When one is replaced, it should not |
| 4132 if (Heap::ShouldZapGarbage() && HasTransitionArray()) { | 4132 // keep referenced objects alive, so we zap it. |
| 4133 CHECK(transitions() != transition_array); | 4133 // When there is another reference to the array somewhere (e.g. a handle), |
| 4134 // not zapping turns from a waste of memory into a source of crashes. |
| 4135 if (HasTransitionArray()) { |
| 4136 ASSERT(transitions() != transition_array); |
| 4134 ZapTransitions(); | 4137 ZapTransitions(); |
| 4135 } | 4138 } |
| 4136 | 4139 |
| 4137 WRITE_FIELD(this, kTransitionsOrBackPointerOffset, transition_array); | 4140 WRITE_FIELD(this, kTransitionsOrBackPointerOffset, transition_array); |
| 4138 CONDITIONAL_WRITE_BARRIER( | 4141 CONDITIONAL_WRITE_BARRIER( |
| 4139 GetHeap(), this, kTransitionsOrBackPointerOffset, transition_array, mode); | 4142 GetHeap(), this, kTransitionsOrBackPointerOffset, transition_array, mode); |
| 4140 } | 4143 } |
| 4141 | 4144 |
| 4142 | 4145 |
| 4143 void Map::init_back_pointer(Object* undefined) { | 4146 void Map::init_back_pointer(Object* undefined) { |
| (...skipping 1871 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6015 #undef WRITE_UINT32_FIELD | 6018 #undef WRITE_UINT32_FIELD |
| 6016 #undef READ_SHORT_FIELD | 6019 #undef READ_SHORT_FIELD |
| 6017 #undef WRITE_SHORT_FIELD | 6020 #undef WRITE_SHORT_FIELD |
| 6018 #undef READ_BYTE_FIELD | 6021 #undef READ_BYTE_FIELD |
| 6019 #undef WRITE_BYTE_FIELD | 6022 #undef WRITE_BYTE_FIELD |
| 6020 | 6023 |
| 6021 | 6024 |
| 6022 } } // namespace v8::internal | 6025 } } // namespace v8::internal |
| 6023 | 6026 |
| 6024 #endif // V8_OBJECTS_INL_H_ | 6027 #endif // V8_OBJECTS_INL_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12987013:
Fix crash involving zombie maps escaping from the JSON parser's underground lab (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge