Bug 64657

Summary:

Converted this value not preserved when accessed via direct eval.

Product:

WebKit

Reporter:

Gavin Barraclough <barraclough>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

javascript:function f(x) { eval("this.x = 2"); eval("alert(this.x)"); } f.call(1);

Attachments:

Description	Flags
Preliminary patch, need ChangeLog & layout test.	none
The patch, with layout test & correct strict mode behaviour	oliver: review+

Gavin Barraclough

Reported 2011-07-16 15:00:51 PDT

Upon entry into a non-strcict function primitive types should be boxed as an Object type - which we do using op_convert_this. However we omit to convert this where this is not used within the function. The problem comes if a direct eval (running within the function's scope) accesses this. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and is freshly converted each time eval is invoked. This is inefficient and incorrect, since any changes to this will be lost between eval statements.

Attachments
Preliminary patch, need ChangeLog & layout test. (3.27 KB, patch) 2011-07-16 15:54 PDT, Gavin Barraclough	no flags	Details Formatted Diff Diff
The patch, with layout test & correct strict mode behaviour (8.26 KB, patch) 2011-07-16 17:30 PDT, Gavin Barraclough	oliver: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Gavin Barraclough

Comment 1 2011-07-16 15:52:47 PDT

Lemme try that description thing again. Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this. However we only do so where this is used lexically within the function (we omit the conversion op if not). The problem comes if a direct eval (running within the function's scope) accesses the this value. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements.

Gavin Barraclough

Comment 2 2011-07-16 15:54:06 PDT

Created attachment 101103 [details] Preliminary patch, need ChangeLog & layout test.

Gavin Barraclough

Comment 3 2011-07-16 17:30:16 PDT

Created attachment 101106 [details] The patch, with layout test & correct strict mode behaviour

Gavin Barraclough

Comment 4 2011-07-16 22:05:13 PDT

Fixed in r91164

Note You need to log in before you can comment on or make changes to this bug.