Version 3.30.33.11 (cherry-pick)
Merged 377de64246b3c1449f4e2090622ae1e1691e51ae
Make sure backing store pointer in handles get cleared after use in factory.
BUG=442710
LOG=N
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/823583002
Cr-Commit-Position: refs/branch-heads/3.30@{#25265}
diff --git a/src/factory.cc b/src/factory.cc
index 72974a3..19df01a 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1665,6 +1665,7 @@
return;
}
+ HandleScope inner_scope(isolate());
Handle<FixedArrayBase> elms;
ElementsKind elements_kind = array->GetElementsKind();
if (IsFastDoubleElementsKind(elements_kind)) {
diff --git a/src/version.cc b/src/version.cc
index e65985a..057c7e4 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 30
#define BUILD_NUMBER 33
-#define PATCH_LEVEL 10
+#define PATCH_LEVEL 11
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index 543a89d..0d43c06 100644
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -4742,6 +4742,23 @@
}
+TEST(Regress442710) {
+ CcTest::InitializeVM();
+ Isolate* isolate = CcTest::i_isolate();
+ Heap* heap = isolate->heap();
+ Factory* factory = isolate->factory();
+
+ HandleScope sc(isolate);
+ Handle<GlobalObject> global(CcTest::i_isolate()->context()->global_object());
+ Handle<JSArray> array = factory->NewJSArray(2);
+
+ Handle<String> name = factory->InternalizeUtf8String("testArray");
+ JSReceiver::SetProperty(global, name, array, SLOPPY).Check();
+ CompileRun("testArray[0] = 1; testArray[1] = 2; testArray.shift();");
+ heap->CollectGarbage(OLD_POINTER_SPACE);
+}
+
+
#ifdef DEBUG
TEST(PathTracer) {
CcTest::InitializeVM();
