From: mstarzinger@chromium.org Date: Fri, 9 Aug 2013 09:49:15 +0000 (+0000) Subject: Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject. X-Git-Tag: upstream/4.7.83~12990 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=899e80130e31741d7504979727d83605a3962bfc;p=platform%2Fupstream%2Fv8.git Fix handle unsafety in Deoptimizer::MaterializeNextHeapObject. R=yangguo@chromium.org Review URL: https://codereview.chromium.org/22327008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc index 525f978..dc9ffc5 100644 --- a/src/deoptimizer.cc +++ b/src/deoptimizer.cc @@ -1675,7 +1675,8 @@ Handle Deoptimizer::MaterializeNextHeapObject() { arguments->set_elements(*array); materialized_objects_->Add(arguments); for (int i = 0; i < length; ++i) { - array->set(i, *MaterializeNextValue()); + Handle value = MaterializeNextValue(); + array->set(i, *value); } } else { // Dispatch on the instance type of the object to be materialized. @@ -1692,10 +1693,13 @@ Handle Deoptimizer::MaterializeNextHeapObject() { Handle object = isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false); materialized_objects_->Add(object); - object->set_properties(FixedArray::cast(*MaterializeNextValue())); - object->set_elements(FixedArray::cast(*MaterializeNextValue())); + Handle properties = MaterializeNextValue(); + Handle elements = MaterializeNextValue(); + object->set_properties(FixedArray::cast(*properties)); + object->set_elements(FixedArray::cast(*elements)); for (int i = 0; i < length - 3; ++i) { - object->FastPropertyAtPut(i, *MaterializeNextValue()); + Handle value = MaterializeNextValue(); + object->FastPropertyAtPut(i, *value); } break; }