[bootstrapper] Fix raw pointer use during potential GC.

This should fix a weird random crash we keep seeing on Linux nosnap
bot with TurboFan enabled.

BUG=v8:4435,v8:4423
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1374663002

Cr-Commit-Position: refs/heads/master@{#30968}

diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index 2f2216b..4bcebaa 100644 (file)
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1803,23 +1803,29 @@ void Bootstrapper::ExportFromRuntime(Isolate* isolate,
   PUBLIC_SYMBOL_LIST(EXPORT_PUBLIC_SYMBOL)
 #undef EXPORT_PUBLIC_SYMBOL
 
-  Handle<JSFunction> apply = InstallFunction(
-      container, "reflect_apply", JS_OBJECT_TYPE, JSObject::kHeaderSize,
-      MaybeHandle<JSObject>(), Builtins::kReflectApply);
-  apply->shared()->set_internal_formal_parameter_count(3);
-  apply->shared()->set_length(3);
-  apply->shared()->set_feedback_vector(
-      *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate));
-  isolate->native_context()->set_reflect_apply(*apply);
-
-  Handle<JSFunction> construct = InstallFunction(
-      container, "reflect_construct", JS_OBJECT_TYPE, JSObject::kHeaderSize,
-      MaybeHandle<JSObject>(), Builtins::kReflectConstruct);
-  construct->shared()->set_internal_formal_parameter_count(3);
-  construct->shared()->set_length(2);
-  construct->shared()->set_feedback_vector(
-      *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate));
-  isolate->native_context()->set_reflect_construct(*construct);
+  {
+    Handle<JSFunction> apply = InstallFunction(
+        container, "reflect_apply", JS_OBJECT_TYPE, JSObject::kHeaderSize,
+        MaybeHandle<JSObject>(), Builtins::kReflectApply);
+    apply->shared()->set_internal_formal_parameter_count(3);
+    apply->shared()->set_length(3);
+    Handle<TypeFeedbackVector> feedback_vector =
+        TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate);
+    apply->shared()->set_feedback_vector(*feedback_vector);
+    isolate->native_context()->set_reflect_apply(*apply);
+  }
+
+  {
+    Handle<JSFunction> construct = InstallFunction(
+        container, "reflect_construct", JS_OBJECT_TYPE, JSObject::kHeaderSize,
+        MaybeHandle<JSObject>(), Builtins::kReflectConstruct);
+    construct->shared()->set_internal_formal_parameter_count(3);
+    construct->shared()->set_length(2);
+    Handle<TypeFeedbackVector> feedback_vector =
+        TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate);
+    construct->shared()->set_feedback_vector(*feedback_vector);
+    isolate->native_context()->set_reflect_construct(*construct);
+  }
 }
 
 
@@ -2421,8 +2427,9 @@ bool Genesis::InstallNatives(ContextType context_type) {
     Handle<JSFunction> apply =
         InstallFunction(proto, "apply", JS_OBJECT_TYPE, JSObject::kHeaderSize,
                         MaybeHandle<JSObject>(), Builtins::kFunctionApply);
-    apply->shared()->set_feedback_vector(
-        *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate()));
+    Handle<TypeFeedbackVector> feedback_vector =
+        TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate());
+    apply->shared()->set_feedback_vector(*feedback_vector);
 
     // Make sure that Function.prototype.call appears to be compiled.
     // The code will never be called, but inline caching for call will