From 8707b362332e23875f5e1f8952e270fe6dc54aef Mon Sep 17 00:00:00 2001
From: "sgjesse@chromium.org"
 <sgjesse@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 18 Jan 2010 14:13:58 +0000
Subject: [PATCH] Fix GC bug

The patching of the receiver added in r3616 was not GC-safe and could leave a failure object in place of the receiver if allocation of the wrapper JS object failed.
Review URL: http://codereview.chromium.org/546068

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3633 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/factory.cc | 5 +++++
 src/factory.h  | 1 +
 src/ic.cc      | 6 +++---
 src/ic.h       | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/factory.cc b/src/factory.cc
index a406350..8d20749 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -718,6 +718,11 @@ Handle<JSFunction> Factory::NewFunction(Handle<String> name,
 }
 
 
+Handle<Object> Factory::ToObject(Handle<Object> object) {
+  CALL_HEAP_FUNCTION(object->ToObject(), Object);
+}
+
+
 Handle<Object> Factory::ToObject(Handle<Object> object,
                                  Handle<Context> global_context) {
   CALL_HEAP_FUNCTION(object->ToObject(*global_context), Object);
diff --git a/src/factory.h b/src/factory.h
index fd277f2..2a347cd 100644
--- a/src/factory.h
+++ b/src/factory.h
@@ -229,6 +229,7 @@ class Factory : public AllStatic {
 
   static Handle<Code> CopyCode(Handle<Code> code);
 
+  static Handle<Object> ToObject(Handle<Object> object);
   static Handle<Object> ToObject(Handle<Object> object,
                                  Handle<Context> global_context);
 
diff --git a/src/ic.cc b/src/ic.cc
index 7627654..d823c91 100644
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -378,7 +378,7 @@ Object* CallIC::TryCallAsFunction(Object* object) {
   return *delegate;
 }
 
-void CallIC::ReceiverToObject(Object* object) {
+void CallIC::ReceiverToObject(Handle<Object> object) {
   HandleScope scope;
   Handle<Object> receiver(object);
 
@@ -387,7 +387,7 @@ void CallIC::ReceiverToObject(Object* object) {
   StackFrameLocator locator;
   JavaScriptFrame* frame = locator.FindJavaScriptFrame(0);
   int index = frame->ComputeExpressionsCount() - (argc + 1);
-  frame->SetExpression(index, object->ToObject());
+  frame->SetExpression(index, *Factory::ToObject(object));
 }
 
 
@@ -401,7 +401,7 @@ Object* CallIC::LoadFunction(State state,
   }
 
   if (object->IsString() || object->IsNumber() || object->IsBoolean()) {
-    ReceiverToObject(*object);
+    ReceiverToObject(object);
   }
 
   // Check if the name is trivially convertible to an index and get
diff --git a/src/ic.h b/src/ic.h
index 5bbc584..be7f956 100644
--- a/src/ic.h
+++ b/src/ic.h
@@ -209,7 +209,7 @@ class CallIC: public IC {
   // Otherwise, it returns the undefined value.
   Object* TryCallAsFunction(Object* object);
 
-  void ReceiverToObject(Object* object);
+  void ReceiverToObject(Handle<Object> object);
 
   static void Clear(Address address, Code* target);
   friend class IC;
-- 
2.7.4