From 821655fb5778141140a7d4b0151aede04fca522b Mon Sep 17 00:00:00 2001
From: mvstanton <mvstanton@chromium.org>
Date: Tue, 24 Mar 2015 08:37:14 -0700
Subject: [PATCH] Prevent leaks of cross context maps in the Oracle.

Some code in type-info.cc could allow a cross context map to be visible to
crankshaft. Tighten up this code to be certain that only a JSFunction, an
AllocationSite or a Symbol can be returned.

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1026343004

Cr-Commit-Position: refs/heads/master@{#27417}
---
 src/type-info.cc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/type-info.cc b/src/type-info.cc
index 7e1d6011d..1059c7aec 100644
--- a/src/type-info.cc
+++ b/src/type-info.cc
@@ -54,6 +54,7 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorSlot slot) {
   Object* obj = feedback_vector_->Get(slot);
   if (!obj->IsJSFunction() ||
       !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+    DCHECK(!obj->IsMap());
     return Handle<Object>(obj, isolate());
   }
   return Handle<Object>::cast(isolate()->factory()->undefined_value());
@@ -74,10 +75,12 @@ Handle<Object> TypeFeedbackOracle::GetInfo(FeedbackVectorICSlot slot) {
     obj = cell->value();
   }
 
-  if (!obj->IsJSFunction() ||
-      !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) {
+  if ((obj->IsJSFunction() &&
+       !CanRetainOtherContext(JSFunction::cast(obj), *native_context_)) ||
+      obj->IsAllocationSite() || obj->IsSymbol()) {
     return Handle<Object>(obj, isolate());
   }
+
   return undefined;
 }
 
-- 
2.34.1