Prevent leaks of cross context maps in the Oracle.

Some code in type-info.cc could allow a cross context map to be visible to crankshaft. Tighten up this code to be certain that only a JSFunction, an AllocationSite or a Symbol can be returned. R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/1026343004 Cr-Commit-Position: refs/heads/master@{#27417}

Prevent leaks of cross context maps in the Oracle.
Some code in type-info.cc could allow a cross context map to be visible to crankshaft. Tighten up this code to be certain that only a JSFunction, an AllocationSite or a Symbol can be returned. R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/1026343004 Cr-Commit-Position: refs/heads/master@{#27417}
821655fb · mvstanton · Commit bot · f8ba595a · 821655fb
Commit 821655fb authored Mar 24, 2015 by mvstanton Committed by Commit bot Mar 24, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

type-info.cc src/type-info.cc +5 -2

No files found.
--- a/src/type-info.cc
+++ b/src/type-info.cc
@@ -54,6 +54,7 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorSlot slot) {
  Object* obj = feedback_vector_->Get(slot);
  if (!obj->IsJSFunction() ||
      !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+    DCHECK(!obj->IsMap());
    return Handle<Object>(obj, isolate());
  }
  return Handle<Object>::cast(isolate()->factory()->undefined_value());
@@ -74,10 +75,12 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorICSlot slot) {
    obj = cell->value();
  }

-  if (!obj->IsJSFunction() ||
-      !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+  if ((obj->IsJSFunction() &&
+       !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) ||
+      obj->IsAllocationSite() || obj->IsSymbol()) {
    return Handle<Object>(obj, isolate());
  }
+
  return undefined;
 }