From 963cc2e49c73032f15bd4e5a9ebe147d24c0022f Mon Sep 17 00:00:00 2001 From: "erik.corry@gmail.com" Date: Wed, 20 Oct 2010 13:19:03 +0000 Subject: [PATCH] Fix GC error in ES5 read-only properties implementation. Review URL: http://codereview.chromium.org/3920005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5676 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/handles.cc | 8 +++++++ src/handles.h | 4 ++++ src/runtime.cc | 10 ++++----- test/mjsunit/define-property-gc.js | 45 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 5 deletions(-) create mode 100644 test/mjsunit/define-property-gc.js diff --git a/src/handles.cc b/src/handles.cc index 8fe29bb..c16ea48 100644 --- a/src/handles.cc +++ b/src/handles.cc @@ -210,6 +210,14 @@ void TransformToFastProperties(Handle object, } +void NumberDictionarySet(Handle dictionary, + uint32_t index, + Handle value, + PropertyDetails details) { + CALL_HEAP_FUNCTION_VOID(dictionary->Set(index, *value, details)); +} + + void FlattenString(Handle string) { CALL_HEAP_FUNCTION_VOID(string->TryFlatten()); } diff --git a/src/handles.h b/src/handles.h index 69170ff..c308eaf 100644 --- a/src/handles.h +++ b/src/handles.h @@ -193,6 +193,10 @@ void NormalizeProperties(Handle object, void NormalizeElements(Handle object); void TransformToFastProperties(Handle object, int unused_property_fields); +void NumberDictionarySet(Handle dictionary, + uint32_t index, + Handle value, + PropertyDetails details); // Flattens a string. void FlattenString(Handle str); diff --git a/src/runtime.cc b/src/runtime.cc index 9a604a0..4ebf18a 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -3538,12 +3538,12 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) { if (((unchecked & (DONT_DELETE | DONT_ENUM | READ_ONLY)) != 0) && is_element) { // Normalize the elements to enable attributes on the property. - js_object->NormalizeElements(); - NumberDictionary* dictionary = js_object->element_dictionary(); + NormalizeElements(js_object); + Handle dictionary(js_object->element_dictionary()); // Make sure that we never go back to fast case. dictionary->set_requires_slow_elements(); PropertyDetails details = PropertyDetails(attr, NORMAL); - dictionary->Set(index, *obj_value, details); + NumberDictionarySet(dictionary, index, obj_value, details); } LookupResult result; @@ -3557,7 +3557,7 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) { // new attributes. if (result.IsProperty() && attr != result.GetAttributes()) { // New attributes - normalize to avoid writing to instance descriptor - js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0); + NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0); // Use IgnoreAttributes version since a readonly property may be // overridden and SetProperty does not allow this. return js_object->IgnoreAttributesAndSetLocalProperty(*name, @@ -4154,7 +4154,7 @@ static Object* Runtime_ToSlowProperties(Arguments args) { Handle object = args.at(0); if (object->IsJSObject()) { Handle js_object = Handle::cast(object); - js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0); + NormalizeProperties(js_object, CLEAR_INOBJECT_PROPERTIES, 0); } return *object; } diff --git a/test/mjsunit/define-property-gc.js b/test/mjsunit/define-property-gc.js new file mode 100644 index 0000000..b38164d --- /dev/null +++ b/test/mjsunit/define-property-gc.js @@ -0,0 +1,45 @@ +// Copyright 2010 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Tests the handling of GC issues in the defineProperty method. +// Flags: --max-new-space-size=256 + +function Regular() { + this[0] = 0; + this[1] = 1; +} + + +function foo() { + var descElementNonWritable = { value: 'foofoo', writable: false }; + for (var i = 0; i < 1000; i++) { + var regular = new Regular(); + Object.defineProperty(regular, '1', descElementNonWritable); + } +} + +foo(); -- 2.7.4