Bug 77581

Summary: calling function on catch block scope containing an eval result in wrong this value being passed
Product: WebKit Reporter: Gavin Barraclough <barraclough>
Component: JavaScriptCoreAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: javascript:function F(){ return 'F' in this; }; try { throw F; } catch (e) { eval(""); alert(e()); }
Attachments:
Description Flags
The patch oliver: review+

Gavin Barraclough
Reported 2012-02-01 15:46:34 PST
If a catch block contains eval, we use a regular object for its scope, instead of a JSStaticScopeObject, such that new variables can be introduced dynamically - effectively transforming: catch (e) { } to with ({e:<the error>}) { } This results in incorrect this value passing if e (or any function introduced into scope by the eval) is called, since per with behavior the object serving as the this value will be passed as this, rather than undefined.
Attachments
The patch (11.08 KB, patch)
2012-02-01 15:47 PST, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2012-02-01 15:47:51 PST
Created attachment 125036 [details] The patch
WebKit Review Bot
Comment 2 2012-02-01 15:49:45 PST
Attachment 125036 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/JavaScriptCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] LayoutTests/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 2 in 12 files If any of these errors are false positives, please file a bug against check-webkit-style.
Gavin Barraclough
Comment 3 2012-02-01 16:09:40 PST
Fixed in r106512.
Note You need to log in before you can comment on or make changes to this bug.