Prevent leaks of cross context maps in the Oracle.

Some code in type-info.cc could allow a cross context map to be visible to
crankshaft. Tighten up this code to be certain that only a JSFunction, an
AllocationSite or a Symbol can be returned.

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1026343004

Cr-Commit-Position: refs/heads/master@{#27417}

diff --git a/src/type-info.cc b/src/type-info.cc
index 7e1d6011d0e82ad1a26cc47c272567a7c87cc3d0..1059c7aecd8796e4f31d0a9f4a9e3ff3354f4719 100644 (file)
--- a/src/type-info.cc
+++ b/src/type-info.cc
@@ -54,6 +54,7 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorSlot slot) {
   Object* obj = feedback_vector_->Get(slot);
   if (!obj->IsJSFunction() ||
       !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+    DCHECK(!obj->IsMap());
     return Handle<Object>(obj, isolate());
   }
   return Handle<Object>::cast(isolate()->factory()->undefined_value());
@@ -74,10 +75,12 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorICSlot slot) {
     obj = cell->value();
   }
 
-  if (!obj->IsJSFunction() ||
-      !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+  if ((obj->IsJSFunction() &&
+       !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) ||
+      obj->IsAllocationSite() || obj->IsSymbol()) {
     return Handle<Object>(obj, isolate());
   }
+
   return undefined;
 }