Chromium Code Reviews Chromium Code Reviews
Issue 1337943005:
Fix initialization order (setup) for JSArrayBuffer objects. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master| Index: src/objects.cc |
| diff --git a/src/objects.cc b/src/objects.cc |
| index 50551dba8f20663be82a149bbb59ec6d80757381..30ac6aef468e72c754a5b501e4c06b428a47cfff 100644 |
| --- a/src/objects.cc |
| +++ b/src/objects.cc |
| @@ -16132,7 +16132,6 @@ void JSArrayBuffer::Setup(Handle<JSArrayBuffer> array_buffer, Isolate* isolate, |
| for (int i = 0; i < v8::ArrayBuffer::kInternalFieldCount; i++) { |
| array_buffer->SetInternalField(i, Smi::FromInt(0)); |
| } |
| - array_buffer->set_backing_store(data); |
| array_buffer->set_bit_field(0); |
| array_buffer->set_is_external(is_external); |
| array_buffer->set_is_neuterable(shared == SharedFlag::kNotShared); |
| @@ -16142,6 +16141,11 @@ void JSArrayBuffer::Setup(Handle<JSArrayBuffer> array_buffer, Isolate* isolate, |
| isolate->factory()->NewNumberFromSize(allocated_length); |
| CHECK(byte_length->IsSmi() || byte_length->IsHeapNumber()); |
| array_buffer->set_byte_length(*byte_length); |
| + // Initialize backing store at last to avoid handling of |JSArrayBuffers| that |
| + // are currently being constructed in the |ArrayBufferTracker|. The |
| + // registration method below handles the case of registering a buffer that has |
| + // already been promoted. |
| + array_buffer->set_backing_store(data); |
| if (data && !is_external) { |
| isolate->heap()->RegisterNewArrayBuffer(*array_buffer); |
| @@ -16191,8 +16195,14 @@ Handle<JSArrayBuffer> JSTypedArray::MaterializeArrayBuffer( |
| void* backing_store = |
| isolate->array_buffer_allocator()->AllocateUninitialized( |
| fixed_typed_array->DataSize()); |
| - buffer->set_backing_store(backing_store); |
| buffer->set_is_external(false); |
| + DCHECK(buffer->byte_length->IsHeapNumber() && |
|
jochen (gone - plz use gerrit)
2015/09/14 11:06:24
can also be a smi, no?
Michael Lippautz
2015/09/14 11:09:45
Yes, figured this out after starting the dry run..
|
| + (*(buffer->byte_length) == fixed_typed_array->DataSize())); |
| + // Initialize backing store at last to avoid handling of |JSArrayBuffers| that |
| + // are currently being constructed in the |ArrayBufferTracker|. The |
| + // registration method below handles the case of registering a buffer that has |
| + // already been promoted. |
| + buffer->set_backing_store(backing_store); |
| isolate->heap()->RegisterNewArrayBuffer(*buffer); |
| memcpy(buffer->backing_store(), |
| fixed_typed_array->DataPtr(), |
