Guard an unsafe cast of a catch context's extension object.

R=ager@chromium.org
BUG=
TEST=

Review URL: http://codereview.chromium.org/7149019

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8283 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/contexts.cc b/src/contexts.cc
index c590d02..2ed5378 100644 (file)
--- a/src/contexts.cc
+++ b/src/contexts.cc
@@ -224,8 +224,8 @@ bool Context::GlobalIfNotShadowedByEval(Handle<String> name) {
   // before the global context and check that there are no context
   // extension objects (conservative check for with statements).
   while (!context->IsGlobalContext()) {
-    // Check if the context is a catch or with context, or has called
-    // non-strict eval.
+    // Check if the context is a catch or with context, or has introduced
+    // bindings by calling non-strict eval.
     if (context->has_extension()) return false;
 
     // Not a with context so it must be a function context.

diff --git a/src/contexts.h b/src/contexts.h
index f1bebf4..100e1a2 100644 (file)
--- a/src/contexts.h
+++ b/src/contexts.h
@@ -303,6 +303,10 @@ class Context: public FixedArray {
     Map* map = this->map();
     return map == map->GetHeap()->catch_context_map();
   }
+  bool IsWithContext() {
+    Map* map = this->map();
+    return map == map->GetHeap()->with_context_map();
+  }
 
   // Tells whether the global context is marked with out of memory.
   inline bool has_out_of_memory();

diff --git a/src/objects.cc b/src/objects.cc
index 4b8a8aa..6185e2d 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3228,8 +3228,8 @@ bool JSObject::ReferencesObject(Object* obj) {
       }
     }
 
-    // Check the context extension if any.
-    if (context->has_extension()) {
+    // Check the context extension (if any) if it can have references.
+    if (context->has_extension() && !context->IsCatchContext()) {
       return JSObject::cast(context->extension())->ReferencesObject(obj);
     }
   }

diff --git a/src/runtime.cc b/src/runtime.cc
index 31e31a3..7330526 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1232,6 +1232,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DeclareContextSlot) {
 
   // Declarations are always done in the function context.
   context = Handle<Context>(context->fcontext());
+  ASSERT(context->IsFunctionContext());
 
   int index;
   PropertyAttributes attributes;
@@ -10227,8 +10228,8 @@ class ScopeIterator {
     } else if (context_->IsFunctionContext()) {
       at_local_ = true;
     } else if (context_->closure() != *function_) {
-      // The context_ is a with block from the outer function.
-      ASSERT(context_->has_extension());
+      // The context_ is a with or catch block from the outer function.
+      ASSERT(context_->IsWithContext() || context_->IsCatchContext());
       at_local_ = true;
     }
   }
@@ -10280,10 +10281,10 @@ class ScopeIterator {
     if (context_->IsFunctionContext()) {
       return ScopeTypeClosure;
     }
-    ASSERT(context_->has_extension());
     if (context_->IsCatchContext()) {
       return ScopeTypeCatch;
     }
+    ASSERT(context_->IsWithContext());
     return ScopeTypeWith;
   }