Revision: 8283 Author: [email protected] Date: Tue Jun 14 08:00:57 2011 Log: Guard an unsafe cast of a catch context's extension object.
[email protected] BUG= TEST= Review URL: http://codereview.chromium.org/7149019 http://code.google.com/p/v8/source/detail?r=8283 Modified: /branches/bleeding_edge/src/contexts.cc /branches/bleeding_edge/src/contexts.h /branches/bleeding_edge/src/objects.cc /branches/bleeding_edge/src/runtime.cc ======================================= --- /branches/bleeding_edge/src/contexts.cc Tue Jun 14 05:16:23 2011 +++ /branches/bleeding_edge/src/contexts.cc Tue Jun 14 08:00:57 2011 @@ -224,8 +224,8 @@ // before the global context and check that there are no context // extension objects (conservative check for with statements). while (!context->IsGlobalContext()) { - // Check if the context is a catch or with context, or has called - // non-strict eval. + // Check if the context is a catch or with context, or has introduced + // bindings by calling non-strict eval. if (context->has_extension()) return false; // Not a with context so it must be a function context. ======================================= --- /branches/bleeding_edge/src/contexts.h Tue Jun 14 05:16:23 2011 +++ /branches/bleeding_edge/src/contexts.h Tue Jun 14 08:00:57 2011 @@ -303,6 +303,10 @@ Map* map = this->map(); return map == map->GetHeap()->catch_context_map(); } + bool IsWithContext() { + Map* map = this->map(); + return map == map->GetHeap()->with_context_map(); + } // Tells whether the global context is marked with out of memory. inline bool has_out_of_memory(); ======================================= --- /branches/bleeding_edge/src/objects.cc Tue Jun 14 05:16:23 2011 +++ /branches/bleeding_edge/src/objects.cc Tue Jun 14 08:00:57 2011 @@ -3228,8 +3228,8 @@ } } - // Check the context extension if any. - if (context->has_extension()) { + // Check the context extension (if any) if it can have references. + if (context->has_extension() && !context->IsCatchContext()) { return JSObject::cast(context->extension())->ReferencesObject(obj); } } ======================================= --- /branches/bleeding_edge/src/runtime.cc Tue Jun 14 05:16:23 2011 +++ /branches/bleeding_edge/src/runtime.cc Tue Jun 14 08:00:57 2011 @@ -1232,6 +1232,7 @@ // Declarations are always done in the function context. context = Handle<Context>(context->fcontext()); + ASSERT(context->IsFunctionContext()); int index; PropertyAttributes attributes; @@ -10227,8 +10228,8 @@ } else if (context_->IsFunctionContext()) { at_local_ = true; } else if (context_->closure() != *function_) { - // The context_ is a with block from the outer function. - ASSERT(context_->has_extension()); + // The context_ is a with or catch block from the outer function. + ASSERT(context_->IsWithContext() || context_->IsCatchContext()); at_local_ = true; } } @@ -10280,10 +10281,10 @@ if (context_->IsFunctionContext()) { return ScopeTypeClosure; } - ASSERT(context_->has_extension()); if (context_->IsCatchContext()) { return ScopeTypeCatch; } + ASSERT(context_->IsWithContext()); return ScopeTypeWith; } -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
