Correctly handlify two frame {Summarize} methods

backes · Commit Bot · commit fba03abcfaa1 · 2019-09-05T15:42:59.000Z
{JavaScriptFrame::GetParameters} allocates a new {FixedArray}, hence all object references need to be handified to survive that allocation. R=mstarzinger@chromium.org Bug: chromium:1000635 Change-Id: I76df5ac109bdb6999fe897bdafaf2175344ecca4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1787429 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#63583}
diff --git a/src/execution/frames.cc b/src/execution/frames.cc
@@ -1147,11 +1147,11 @@ void JavaScriptFrame::Summarize(std::vector<FrameSummary>* functions) const {
   DCHECK(functions->empty());
   Code code = LookupCode();
   int offset = static_cast<int>(pc() - code.InstructionStart());
-  AbstractCode abstract_code = AbstractCode::cast(code);
+  Handle<AbstractCode> abstract_code(AbstractCode::cast(code), isolate());
   Handle<FixedArray> params = GetParameters();
   FrameSummary::JavaScriptFrameSummary summary(
-      isolate(), receiver(), function(), abstract_code, offset, IsConstructor(),
-      *params);
+      isolate(), receiver(), function(), *abstract_code, offset,
+      IsConstructor(), *params);
   functions->push_back(summary);
 }
 
@@ -1824,10 +1824,11 @@ void InterpretedFrame::WriteInterpreterRegister(int register_index,
 
 void InterpretedFrame::Summarize(std::vector<FrameSummary>* functions) const {
   DCHECK(functions->empty());
-  AbstractCode abstract_code = AbstractCode::cast(GetBytecodeArray());
+  Handle<AbstractCode> abstract_code(AbstractCode::cast(GetBytecodeArray()),
+                                     isolate());
   Handle<FixedArray> params = GetParameters();
   FrameSummary::JavaScriptFrameSummary summary(
-      isolate(), receiver(), function(), abstract_code, GetBytecodeOffset(),
+      isolate(), receiver(), function(), *abstract_code, GetBytecodeOffset(),
       IsConstructor(), *params);
   functions->push_back(summary);
 }
diff --git a/test/mjsunit/regress/regress-1000635.js b/test/mjsunit/regress/regress-1000635.js
@@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --stress-compaction --detailed-error-stack-trace --gc-interval=1
+
+function add(a, b) {
+  throw new Error();
+}
+for (let i = 0; i < 100; ++i) {
+  try {
+    add(1, 2);
+  } catch (e) {
+  }
+}
