Fix non-idempotent modification in JSObject::AddFastProperty.

R=verwaest@chromium.org
BUG=mozilla/ecma/Array/15.4.5.2-2

Review URL: https://codereview.chromium.org/15955010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects.cc b/src/objects.cc
index e83a32d..f45945b 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1824,15 +1824,18 @@ MaybeObject* JSObject::AddFastProperty(Name* name,
 
   Heap* heap = isolate->heap();
 
-  Map* new_map;
-  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
-  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
-
   Object* storage;
   MaybeObject* maybe_storage =
       value->AllocateNewStorageFor(heap, representation);
   if (!maybe_storage->To(&storage)) return maybe_storage;
 
+  // Note that Map::CopyAddDescriptor has side-effects, the new map is already
+  // inserted in the transition tree. No more allocations that might fail are
+  // allowed after this point.
+  Map* new_map;
+  MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
+  if (!maybe_new_map->To(&new_map)) return maybe_new_map;
+
   if (map()->unused_property_fields() == 0) {
     ASSERT(values != NULL);
     set_properties(values);