Reviewers: Lasse Reichstein, Description: Fix http://code.google.com/p/chromium/issues/detail?id=7258 crash in IsFlat. You can't keep a StringShape across things that can cause GC.
Please review this at http://codereview.chromium.org/19749 SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/ Affected files: M src/jsregexp.cc Index: src/jsregexp.cc =================================================================== --- src/jsregexp.cc (revision 1181) +++ src/jsregexp.cc (working copy) @@ -672,8 +672,7 @@ JSRegExp::Flags flags = re->GetFlags(); Handle<String> pattern(re->Pattern()); - StringShape shape(*pattern); - if (!pattern->IsFlat(shape)) { + if (!pattern->IsFlat(StringShape(*pattern))) { FlattenString(pattern); } @@ -783,8 +782,7 @@ Handle<String> subject) { ASSERT_EQ(regexp->TypeTag(), JSRegExp::IRREGEXP); - StringShape shape(*subject); - bool is_ascii = shape.IsAsciiRepresentation(); + bool is_ascii = StringShape(*subject).IsAsciiRepresentation(); Handle<FixedArray> irregexp = GetCompiledIrregexp(regexp, is_ascii); if (irregexp.is_null()) { return Handle<Object>::null(); @@ -800,7 +798,7 @@ int i = 0; Handle<Object> matches; - if (!subject->IsFlat(shape)) { + if (!subject->IsFlat(StringShape(*subject))) { FlattenString(subject); } --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---