Bailout on possible direct eval calls.

Environment structure for such calls is different from normal global calls.

R=fschneider@chromium.org
BUG=chromium:122681

Review URL: https://chromiumcodereview.appspot.com/10024060

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11256 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index f9d41910f31edb9f1bbbda6ac22ec0ce5935d1c0..2b999cb768dd2239e69a527c3e50a2f423887992 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2454,6 +2454,10 @@ HGraph* HGraphBuilder::CreateGraph() {
       Bailout("function with illegal redeclaration");
       return NULL;
     }
+    if (scope->calls_eval()) {
+      Bailout("function calls eval");
+      return NULL;
+    }
     SetUpScope(scope);
 
     // Add an edge to the body entry.  This is warty: the graph's start
@@ -5936,6 +5940,10 @@ void HGraphBuilder::VisitCall(Call* expr) {
     VariableProxy* proxy = expr->expression()->AsVariableProxy();
     bool global_call = proxy != NULL && proxy->var()->IsUnallocated();
 
+    if (proxy != NULL && proxy->var()->is_possibly_eval()) {
+      return Bailout("possible direct call to eval");
+    }
+
     if (global_call) {
       Variable* var = proxy->var();
       bool known_global_function = false;