From 899e80130e31741d7504979727d83605a3962bfc Mon Sep 17 00:00:00 2001
From: "mstarzinger@chromium.org"
 <mstarzinger@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 9 Aug 2013 09:49:15 +0000
Subject: [PATCH] Fix handle unsafety in
 Deoptimizer::MaterializeNextHeapObject.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/22327008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/deoptimizer.cc | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index 525f978..dc9ffc5 100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -1675,7 +1675,8 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
     arguments->set_elements(*array);
     materialized_objects_->Add(arguments);
     for (int i = 0; i < length; ++i) {
-      array->set(i, *MaterializeNextValue());
+      Handle<Object> value = MaterializeNextValue();
+      array->set(i, *value);
     }
   } else {
     // Dispatch on the instance type of the object to be materialized.
@@ -1692,10 +1693,13 @@ Handle<Object> Deoptimizer::MaterializeNextHeapObject() {
         Handle<JSObject> object =
             isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED, false);
         materialized_objects_->Add(object);
-        object->set_properties(FixedArray::cast(*MaterializeNextValue()));
-        object->set_elements(FixedArray::cast(*MaterializeNextValue()));
+        Handle<Object> properties = MaterializeNextValue();
+        Handle<Object> elements = MaterializeNextValue();
+        object->set_properties(FixedArray::cast(*properties));
+        object->set_elements(FixedArray::cast(*elements));
         for (int i = 0; i < length - 3; ++i) {
-          object->FastPropertyAtPut(i, *MaterializeNextValue());
+          Handle<Object> value = MaterializeNextValue();
+          object->FastPropertyAtPut(i, *value);
         }
         break;
       }
-- 
2.7.4