| Summary: | Converted this value not preserved when accessed via direct eval. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Gavin Barraclough <barraclough> | ||||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | ||||||||
| Priority: | P2 | ||||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| URL: | javascript:function f(x) { eval("this.x = 2"); eval("alert(this.x)"); } f.call(1); | ||||||||
| Attachments: |
|
||||||||
|
Description
Gavin Barraclough
2011-07-16 15:00:51 PDT
Lemme try that description thing again. Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this. However we only do so where this is used lexically within the function (we omit the conversion op if not). The problem comes if a direct eval (running within the function's scope) accesses the this value. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements. Created attachment 101103 [details]
Preliminary patch, need ChangeLog & layout test.
Created attachment 101106 [details]
The patch, with layout test & correct strict mode behaviour
|