Guard an unsafe cast of a catch context's extension object.

R=ager@chromium.org BUG= TEST= Review URL: http://codereview.chromium.org/7149019 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8283 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Guard an unsafe cast of a catch context's extension object.
R=ager@chromium.org BUG= TEST= Review URL: http://codereview.chromium.org/7149019 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8283 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
d77fa99e · kmillikin@chromium.org · dc47de67 · d77fa99e · d77fa99e · d77fa99e
Commit d77fa99e authored Jun 14, 2011 by kmillikin@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 7 deletions

contexts.cc src/contexts.cc +2 -2

contexts.h src/contexts.h +4 -0

objects.cc src/objects.cc +2 -2

runtime.cc src/runtime.cc +4 -3

No files found.
--- a/src/contexts.cc
+++ b/src/contexts.cc
@@ -224,8 +224,8 @@ bool Context::GlobalIfNotShadowedByEval(Handle<String> name) {
  // before the global context and check that there are no context
  // extension objects (conservative check for with statements).
  while (!context->IsGlobalContext()) {
-    // Check if the context is a catch or with context, or has called
-    // non-strict eval.
+    // Check if the context is a catch or with context, or has introduced
+    // bindings by calling non-strict eval.
    if (context->has_extension()) return false;

    // Not a with context so it must be a function context.

--- a/src/contexts.h
+++ b/src/contexts.h
@@ -303,6 +303,10 @@ class Context: public FixedArray {
    Map* map = this->map();
    return map == map->GetHeap()->catch_context_map();
  }
+  bool IsWithContext() {
+    Map* map = this->map();
+    return map == map->GetHeap()->with_context_map();
+  }

  // Tells whether the global context is marked with out of memory.
  inline bool has_out_of_memory();

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3228,8 +3228,8 @@ bool JSObject::ReferencesObject(Object* obj) {
      }
    }

-    // Check the context extension if any.
-    if (context->has_extension()) {
+    // Check the context extension (if any) if it can have references.
+    if (context->has_extension() && !context->IsCatchContext()) {
      return JSObject::cast(context->extension())->ReferencesObject(obj);
    }
  }

--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1232,6 +1232,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DeclareContextSlot) {

  // Declarations are always done in the function context.
  context = Handle<Context>(context->fcontext());
+  ASSERT(context->IsFunctionContext());

  int index;
  PropertyAttributes attributes;
@@ -10227,8 +10228,8 @@ class ScopeIterator {
    } else if (context_->IsFunctionContext()) {
      at_local_ = true;
    } else if (context_->closure() != *function_) {
-      // The context_ is a with block from the outer function.
-      ASSERT(context_->has_extension());
+      // The context_ is a with or catch block from the outer function.
+      ASSERT(context_->IsWithContext() || context_->IsCatchContext());
      at_local_ = true;
    }
  }
@@ -10280,10 +10281,10 @@ class ScopeIterator {
    if (context_->IsFunctionContext()) {
      return ScopeTypeClosure;
    }
-    ASSERT(context_->has_extension());
    if (context_->IsCatchContext()) {
      return ScopeTypeCatch;
    }
+    ASSERT(context_->IsWithContext());
    return ScopeTypeWith;
  }