Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject.

src/deoptimizer.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1657 matching lines @@
     // Construct an arguments object and copy the parameters to a newly
     // allocated arguments object backing store.
     Handle<JSFunction> function = ArgumentsObjectFunction(object_index);
     Handle<JSObject> arguments =
         isolate_->factory()->NewArgumentsObject(function, length);
     Handle<FixedArray> array = isolate_->factory()->NewFixedArray(length);
     ASSERT(array->length() == length);
     arguments->set_elements(*array);
     materialized_objects_->Add(arguments);
     for (int i = 0; i < length; ++i) {
-      array->set(i, *MaterializeNextValue());
+      Handle<Object> value = MaterializeNextValue();
+      array->set(i, *value);
     }
   } else {
     // Dispatch on the instance type of the object to be materialized.
     Handle<Map> map = Handle<Map>::cast(MaterializeNextValue());
     switch (map->instance_type()) {
       case HEAP_NUMBER_TYPE: {
         Handle<HeapNumber> number =
             Handle<HeapNumber>::cast(MaterializeNextValue());
         materialized_objects_->Add(number);
         materialization_value_index_ += kDoubleSize / kPointerSize - 1;
         break;
       }
       case JS_OBJECT_TYPE: {
         Handle<JSObject> object =
             isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false);
         materialized_objects_->Add(object);
-        object->set_properties(FixedArray::cast(*MaterializeNextValue()));
-        object->set_elements(FixedArray::cast(*MaterializeNextValue()));
+        Handle<Object> properties = MaterializeNextValue();
+        Handle<Object> elements = MaterializeNextValue();
+        object->set_properties(FixedArray::cast(*properties));
+        object->set_elements(FixedArray::cast(*elements));
         for (int i = 0; i < length - 3; ++i) {
-          object->FastPropertyAtPut(i, *MaterializeNextValue());
+          Handle<Object> value = MaterializeNextValue();
+          object->FastPropertyAtPut(i, *value);
         }
         break;
       }
       default:
         PrintF("[couldn't handle instance type %d]\n", map->instance_type());
         UNREACHABLE();
     }
   }
 
   return materialized_objects_->at(object_index);
@@ skipping 1596 matching lines @@
 
 void DeoptimizedFrameInfo::Iterate(ObjectVisitor* v) {
   v->VisitPointer(BitCast<Object**>(&function_));
   v->VisitPointers(parameters_, parameters_ + parameters_count_);
   v->VisitPointers(expression_stack_, expression_stack_ + expression_count_);
 }
 
 #endif  // ENABLE_DEBUGGER_SUPPORT
 
 } }  // namespace v8::internal