commit 7918b195acc0e2c75716e54be56eed0bd3ca78e5
author Michael Stanton <mvstanton@chromium.org> Fri Oct 02 08:05:00 2015
committer Michael Stanton <mvstanton@chromium.org> Fri Oct 02 08:05:21 2015
tree e6cfdc4a3c3ac9938db61cb2205044f14be684c2
parent 158b345efcad7f6e38fec4501a13cee36752a6a4

Version 4.6.85.22 (cherry-pick)

Merged 8611fb31a273ebcf2f0cb2a36929fe48f52e8fd5

[bootstrapper] Fix raw pointer use during potential GC.

BUG=v8:4423,v8:4435
LOG=N
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1380283002 .

Cr-Commit-Position: refs/branch-heads/4.6@{#25}
Cr-Branched-From: 24d34a8ae3cad186792fb1e44e2d7c00d49cd181-refs/heads/4.6.85@{#1}
Cr-Branched-From: 8f441181a570c44ef5c949e8dfd9fd326ac10345-refs/heads/master@{#30256}

include/v8-version.h

diff --git a/include/v8-version.h b/include/v8-version.h
index b02c02b..e32744f 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 85
-#define V8_PATCH_LEVEL 21
+#define V8_PATCH_LEVEL 22
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

src/bootstrapper.cc

diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index 32c3fcc5..790a80b 100644
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1937,16 +1937,18 @@
       MaybeHandle<JSObject>(), Builtins::kReflectApply);
   apply->shared()->set_internal_formal_parameter_count(3);
   apply->shared()->set_length(3);
-  apply->shared()->set_feedback_vector(
-      *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate()));
+  Handle<TypeFeedbackVector> apply_feedback_vector =
+      TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate());
+  apply->shared()->set_feedback_vector(*apply_feedback_vector);
 
   Handle<JSFunction> construct = InstallFunction(
       builtins, "$reflectConstruct", JS_OBJECT_TYPE, JSObject::kHeaderSize,
       MaybeHandle<JSObject>(), Builtins::kReflectConstruct);
   construct->shared()->set_internal_formal_parameter_count(3);
   construct->shared()->set_length(2);
-  construct->shared()->set_feedback_vector(
-      *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate()));
+  Handle<TypeFeedbackVector> construct_feedback_vector =
+      TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate());
+  construct->shared()->set_feedback_vector(*construct_feedback_vector);
 
   if (!FLAG_harmony_reflect) return;
 
@@ -2444,8 +2446,9 @@
     Handle<JSFunction> apply =
         InstallFunction(proto, "apply", JS_OBJECT_TYPE, JSObject::kHeaderSize,
                         MaybeHandle<JSObject>(), Builtins::kFunctionApply);
-    apply->shared()->set_feedback_vector(
-        *TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate()));
+    Handle<TypeFeedbackVector> feedback_vector =
+        TypeFeedbackVector::CreatePushAppliedArgumentsVector(isolate());
+    apply->shared()->set_feedback_vector(*feedback_vector);
 
     // Make sure that Function.prototype.call appears to be compiled.
     // The code will never be called, but inline caching for call will