Fixed global object leak

src/api.cc

Index: src/api.cc
diff --git a/src/api.cc b/src/api.cc
index aee9e3a469eae454a9fdc7b241142050044a730a..d7c76d5a13db453d2c2510041effc573acb69c1f 100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -5410,6 +5410,12 @@ v8::Local<v8::Object> Context::Global() {
   i::Handle<i::Context> context = Utils::OpenHandle(this);
   i::Isolate* isolate = context->GetIsolate();
   i::Handle<i::Object> global(context->global_proxy(), isolate);
+  // TODO(dcarney): This should always return the global proxy
+  // but can't presently as calls to GetProtoype will return the wrong result.
+  if (i::Handle<i::JSGlobalProxy>::cast(
+          global)->IsDetachedFrom(context->global_object())) {
+     global = i::Handle<i::Object>(context->global_object(), isolate);

[haraken, 2016/05/18 05:58:32]

It looks like that this is doing something dangerous. When Blink calls
Context::Global for an detached iframe, it returns a global object (which may be
already used by another iframe), not the global proxy object.

Is the TODO still valid?

[Toon Verwaest, 2016/05/30 21:34:12]

Yes. We should never leak the naked global object to blink.

+  }
   return Utils::ToLocal(i::Handle<i::JSObject>::cast(global));
 }
 
@@ -5422,16 +5428,6 @@ void Context::DetachGlobal() {
 }
 
 
-void Context::ReattachGlobal(Handle<Object> global_object) {
-  i::Handle<i::Context> context = Utils::OpenHandle(this);
-  i::Isolate* isolate = context->GetIsolate();
-  ENTER_V8(isolate);
-  i::Handle<i::JSGlobalProxy> global_proxy =
-      i::Handle<i::JSGlobalProxy>::cast(Utils::OpenHandle(*global_object));
-  isolate->bootstrapper()->ReattachGlobal(context, global_proxy);
-}
-
-
 void Context::AllowCodeGenerationFromStrings(bool allow) {
   i::Handle<i::Context> context = Utils::OpenHandle(this);
   i::Isolate* isolate = context->GetIsolate();