Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/22327008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index 525f978..dc9ffc5 100644 (file)
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -1675,7 +1675,8 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
     arguments->set_elements(*array);
     materialized_objects_->Add(arguments);
     for (int i = 0; i < length; ++i) {
-      array->set(i, *MaterializeNextValue());
+      Handle<Object> value = MaterializeNextValue();
+      array->set(i, *value);
     }
   } else {
     // Dispatch on the instance type of the object to be materialized.
@@ -1692,10 +1693,13 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
         Handle<JSObject> object =
             isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false);
         materialized_objects_->Add(object);
-        object->set_properties(FixedArray::cast(*MaterializeNextValue()));
-        object->set_elements(FixedArray::cast(*MaterializeNextValue()));
+        Handle<Object> properties = MaterializeNextValue();
+        Handle<Object> elements = MaterializeNextValue();
+        object->set_properties(FixedArray::cast(*properties));
+        object->set_elements(FixedArray::cast(*elements));
         for (int i = 0; i < length - 3; ++i) {
-          object->FastPropertyAtPut(i, *MaterializeNextValue());
+          Handle<Object> value = MaterializeNextValue();
+          object->FastPropertyAtPut(i, *value);
         }
         break;
       }