Status: Accepted
Owner: [email protected]
Labels: Type-Bug Priority-Medium
New issue 3162 by [email protected]: Debug.MakeMirror().referencedBy()
crashes on context extensions
http://code.google.com/p/v8/issues/detail?id=3162
The following test case segfaults (or ASSERTs with --enable-slow-asserts):
(function () {
foo = function foo() {}
})();
Debug = debug.Debug
var __v_0 = {};
var __v_4 = debug.MakeMirror(__v_0);
print(__v_4.referencedBy().length);
module B {
}
Run it in d8 with flags: --harmony --expose-debug-as debug
One possible fix would be:
diff --git a/src/objects.cc b/src/objects.cc
index 84fcee7..fc27b04 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5440,7 +5440,7 @@ bool JSObject::ReferencesObject(Object* obj) {
}
// Check the context extension (if any) if it can have references.
- if (context->has_extension() && !context->IsCatchContext()) {
+ if (context->has_extension() && context->extension()->IsJSObject()) {
return JSObject::cast(context->extension())->ReferencesObject(obj);
}
}
but I don't know if that's functionally correct (I suspect it is not -- if
context->extension() is a ScopeInfo/FixedArray, it can also reference other
objects, but casting it to JSObject is incorrect [and crashy] in that case).
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
