Did you report this in the bug tracker? On Saturday, December 22, 2012 9:54:17 PM UTC+8, Stephan Beal wrote: > > On Sat, Dec 22, 2012 at 2:27 PM, Stephan Beal > <[email protected]<javascript:> > > wrote: > >> Hi, devs, >> >> i have just found a regression (from "sometime since last summer") in the >> handling of Object destruction. Consider this JS code: >> ... >> > # Fatal error in ../src/objects-inl.h, line 2386 >> # CHECK(object->IsJSObject()) failed >> # >> > > The worst part is that i verify that Value->IsObject() before attempting > the GetPointerFromInternalField(): > > ResultType operator()( v8::Handle<v8::Value> const & h ) const > { > if( h.IsEmpty() || ! h->IsObject() ) return NULL; > else > { > void * ext = NULL; > v8::Handle<v8::Value> proto(h); > while( !ext && !proto.IsEmpty() && proto->IsObject() ) > { > v8::Local<v8::Object> const & obj( v8::Object::Cast( > *proto ) ); > ext = (obj->InternalFieldCount() != InternalFieldCount) > ? NULL > : obj->GetPointerFromInternalField( > InternalFieldIndex ); > if( ! ext ) > { > if( !SearchPrototypeChain ) break; > else proto = obj->GetPrototype(); > } > } > return ext ? static_cast<ResultType>(ext) : NULL; > } > } > > so this appears to be a genuine bug in v8, in that IsObject() is returning > true, Object::Cast() is functioning (not asserting), but > GetPointerFromInternalField() is triggering a not-an-object assertion. > > > -- > ----- stephan beal > http://wanderinghorse.net/home/stephan/ > http://gplus.to/sgbeal >
-- v8-users mailing list [email protected] http://groups.google.com/group/v8-users
