| Index: src/deoptimizer.cc
|
| diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
|
| index 525f9782d18f2709bf5b5d3a8dd7a39fefcc7957..dc9ffc51186be1c5535297c6adf77f9efbf922b1 100644
|
| --- a/src/deoptimizer.cc
|
| +++ b/src/deoptimizer.cc
|
| @@ -1675,7 +1675,8 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
|
| arguments->set_elements(*array);
|
| materialized_objects_->Add(arguments);
|
| for (int i = 0; i < length; ++i) {
|
| - array->set(i, *MaterializeNextValue());
|
| + Handle<Object> value = MaterializeNextValue();
|
| + array->set(i, *value);
|
| }
|
| } else {
|
| // Dispatch on the instance type of the object to be materialized.
|
| @@ -1692,10 +1693,13 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
|
| Handle<JSObject> object =
|
| isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false);
|
| materialized_objects_->Add(object);
|
| - object->set_properties(FixedArray::cast(*MaterializeNextValue()));
|
| - object->set_elements(FixedArray::cast(*MaterializeNextValue()));
|
| + Handle<Object> properties = MaterializeNextValue();
|
| + Handle<Object> elements = MaterializeNextValue();
|
| + object->set_properties(FixedArray::cast(*properties));
|
| + object->set_elements(FixedArray::cast(*elements));
|
| for (int i = 0; i < length - 3; ++i) {
|
| - object->FastPropertyAtPut(i, *MaterializeNextValue());
|
| + Handle<Object> value = MaterializeNextValue();
|
| + object->FastPropertyAtPut(i, *value);
|
| }
|
| break;
|
| }
|
|
|
Chromium Code Reviews
Issue 22327008:
Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge