| Index: src/runtime.cc
|
| diff --git a/src/runtime.cc b/src/runtime.cc
|
| index 3787e0c77ca88afe9b6199993ffcb70424b87075..7dc6bce49782f99e4181ca3a2272dee781a70aaf 100644
|
| --- a/src/runtime.cc
|
| +++ b/src/runtime.cc
|
| @@ -348,10 +348,8 @@ MaybeObject* TransitionElements(Handle<Object> object,
|
| ElementsKind from_kind =
|
| Handle<JSObject>::cast(object)->map()->elements_kind();
|
| if (Map::IsValidElementsTransition(from_kind, to_kind)) {
|
| - Handle<Object> result = JSObject::TransitionElementsKind(
|
| - Handle<JSObject>::cast(object), to_kind);
|
| - if (result.is_null()) return isolate->ThrowIllegalOperation();
|
| - return *result;
|
| + JSObject::TransitionElementsKind(Handle<JSObject>::cast(object), to_kind);
|
| + return *object;
|
| }
|
| return isolate->ThrowIllegalOperation();
|
| }
|
| @@ -518,7 +516,10 @@ static Handle<AllocationSite> GetLiteralAllocationSite(
|
| ASSERT(*elements != isolate->heap()->empty_fixed_array());
|
| Handle<Object> boilerplate =
|
| Runtime::CreateArrayLiteralBoilerplate(isolate, literals, elements);
|
| - if (boilerplate.is_null()) return site;
|
| + if (boilerplate.is_null()) {
|
| + ASSERT(site.is_null());
|
| + return site;
|
| + }
|
| site = isolate->factory()->NewAllocationSite();
|
| site->set_transition_info(*boilerplate);
|
| literals->set(literals_index, *site);
|
| @@ -568,8 +569,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_CreateArrayLiteralShallow) {
|
| AllocationSiteMode mode = AllocationSite::GetMode(
|
| boilerplate->GetElementsKind());
|
| if (mode == TRACK_ALLOCATION_SITE) {
|
| - return isolate->heap()->CopyJSObjectWithAllocationSite(
|
| - boilerplate, *site);
|
| + return isolate->heap()->CopyJSObject(boilerplate, *site);
|
| }
|
|
|
| return isolate->heap()->CopyJSObject(boilerplate);
|
| @@ -933,17 +933,24 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayInitializeFromArrayLike) {
|
| HandleVector<Object>(NULL, 0)));
|
| }
|
|
|
| + // NOTE: not initializing backing store.
|
| // We assume that the caller of this function will initialize holder
|
| // with the loop
|
| // for(i = 0; i < length; i++) { holder[i] = source[i]; }
|
| + // We assume that the caller of this function is always a typed array
|
| + // constructor.
|
| // If source is a typed array, this loop will always run to completion,
|
| // so we are sure that the backing store will be initialized.
|
| - // Otherwise, we do not know (the indexing operation might throw).
|
| - // Hence we require zero initialization unless our source is a typed array.
|
| - bool should_zero_initialize = !source->IsJSTypedArray();
|
| + // Otherwise, the indexing operation might throw, so the loop will not
|
| + // run to completion and the typed array might remain partly initialized.
|
| + // However we further assume that the caller of this function is a typed array
|
| + // constructor, and the exception will propagate out of the constructor,
|
| + // therefore uninitialized memory will not be accessible by a user program.
|
| + //
|
| + // TODO(dslomov): revise this once we support subclassing.
|
|
|
| if (!Runtime::SetupArrayBufferAllocatingData(
|
| - isolate, buffer, byte_length, should_zero_initialize)) {
|
| + isolate, buffer, byte_length, false)) {
|
| return isolate->Throw(*isolate->factory()->
|
| NewRangeError("invalid_array_buffer_length",
|
| HandleVector<Object>(NULL, 0)));
|
| @@ -1823,10 +1830,12 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_GetOwnProperty) {
|
|
|
|
|
| RUNTIME_FUNCTION(MaybeObject*, Runtime_PreventExtensions) {
|
| - SealHandleScope shs(isolate);
|
| + HandleScope scope(isolate);
|
| ASSERT(args.length() == 1);
|
| - CONVERT_ARG_CHECKED(JSObject, obj, 0);
|
| - return obj->PreventExtensions();
|
| + CONVERT_ARG_HANDLE_CHECKED(JSObject, obj, 0);
|
| + Handle<Object> result = JSObject::PreventExtensions(obj);
|
| + RETURN_IF_EMPTY_HANDLE(isolate, result);
|
| + return *result;
|
| }
|
|
|
|
|
| @@ -1850,8 +1859,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_RegExpCompile) {
|
| CONVERT_ARG_HANDLE_CHECKED(JSRegExp, re, 0);
|
| CONVERT_ARG_HANDLE_CHECKED(String, pattern, 1);
|
| CONVERT_ARG_HANDLE_CHECKED(String, flags, 2);
|
| - Handle<Object> result =
|
| - RegExpImpl::Compile(re, pattern, flags);
|
| + Handle<Object> result = RegExpImpl::Compile(re, pattern, flags);
|
| RETURN_IF_EMPTY_HANDLE(isolate, result);
|
| return *result;
|
| }
|
| @@ -5921,12 +5929,13 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_GetArgumentsProperty) {
|
|
|
|
|
| RUNTIME_FUNCTION(MaybeObject*, Runtime_ToFastProperties) {
|
| - SealHandleScope shs(isolate);
|
| + HandleScope scope(isolate);
|
| ASSERT(args.length() == 1);
|
| - Object* object = args[0];
|
| - return (object->IsJSObject() && !object->IsGlobalObject())
|
| - ? JSObject::cast(object)->TransformToFastProperties(0)
|
| - : object;
|
| + CONVERT_ARG_HANDLE_CHECKED(Object, object, 0);
|
| + if (object->IsJSObject() && !object->IsGlobalObject()) {
|
| + JSObject::TransformToFastProperties(Handle<JSObject>::cast(object), 0);
|
| + }
|
| + return *object;
|
| }
|
|
|
|
|
|
|
Chromium Code Reviews
Issue 142693005:
A64: Synchronize with r16918. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/experimental/a64