Reviewers: Michael Starzinger,
Description:
When redefining accessor properties, defensively copy AccessorPairs.
The previous code relied on the tricky global invariant that there is no map
sharing when accessor properties are involved (or in other words: that
TransformToFastProperties is dumb enough :-). Although this is not a real
problem with the current code, this assumption breaks when map sharing in
fast
mode is enabled, so we defensively copy an AccessorPair.
Please review this at https://chromiumcodereview.appspot.com/9430048/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
c317f0abf70eaacf1aaf3c7820a5affc3e86d17e..08fb84cbf13ac80e1186cbaa3410cfbc3de6ab0f
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4471,9 +4471,14 @@ MaybeObject*
JSObject::DefinePropertyAccessor(String* name,
Object* obj = result.GetCallbackObject();
// Need to preserve old getters/setters.
if (obj->IsAccessorPair()) {
- AccessorPair::cast(obj)->set(is_getter, fun);
+ AccessorPair* copy;
+ { MaybeObject* maybe_copy =
+ AccessorPair::cast(obj)->CopyWithoutTransitions();
+ if (!maybe_copy->To(©)) return maybe_copy;
+ }
+ copy->set(is_getter, fun);
// Use set to update attributes.
- { MaybeObject* maybe_ok = SetPropertyCallback(name, obj,
attributes);
+ { MaybeObject* maybe_ok = SetPropertyCallback(name, copy,
attributes);
if (maybe_ok->IsFailure()) return maybe_ok;
}
return GetHeap()->undefined_value();
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
