Bug 1144802 part 5. Flag eval scripts as having a polluted scopechain when inside a with scope. r=luke

js/src/builtin/Eval.cpp

@@ -212,6 +212,18 @@ TryEvalJSON(JSContext *cx, JSLinearString *str, MutableHandleValue rval)
            : ParseEvalStringAsJSON(cx, linearChars.twoByteRange(), rval);
 }
 
+static bool
+HasPollutedScopeChain(JSObject* scopeChain)
+{
+    while (scopeChain) {
+        if (scopeChain->is<DynamicWithObject>())
+            return true;
+        scopeChain = scopeChain->enclosingScope();
+    }
+
+    return false;
+}
+
 // Define subset of ExecuteType so that casting performs the injection.
 enum EvalType { DIRECT_EVAL = EXECUTE_DIRECT_EVAL, INDIRECT_EVAL = EXECUTE_INDIRECT_EVAL };
 
@@ -314,11 +326,14 @@ EvalKernel(JSContext *cx, const CallArgs &args, EvalType evalType, AbstractFrame
         if (!staticScope)
             return false;
 
+        bool hasPollutedGlobalScope =
+            HasPollutedScopeChain(scopeobj) ||
+            (evalType == DIRECT_EVAL && callerScript->hasPollutedGlobalScope());
+
         CompileOptions options(cx);
         options.setFileAndLine(filename, 1)
                .setCompileAndGo(true)
-               .setHasPollutedScope(evalType == DIRECT_EVAL &&
-                                    callerScript->hasPollutedGlobalScope())
+               .setHasPollutedScope(hasPollutedGlobalScope)
                .setForEval(true)
                .setNoScriptRval(false)
                .setMutedErrors(mutedErrors)
@@ -401,7 +416,8 @@ js::DirectEvalStringFromIon(JSContext *cx,
         CompileOptions options(cx);
         options.setFileAndLine(filename, 1)
                .setCompileAndGo(true)
-               .setHasPollutedScope(callerScript->hasPollutedGlobalScope())
+               .setHasPollutedScope(HasPollutedScopeChain(scopeobj) ||
+                                    callerScript->hasPollutedGlobalScope())
                .setForEval(true)
                .setNoScriptRval(false)
                .setMutedErrors(mutedErrors)