WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
64250
Global strict mode function leaking global object as "this".
https://bugs.webkit.org/show_bug.cgi?id=64250
Summary
Global strict mode function leaking global object as "this".
Mark S. Miller
Reported
2011-07-10 22:11:28 PDT
> function foo(){"use strict"; return this;}
undefined > foo() DOMWindow The call to foo() should have returned undefined.
Attachments
Updated test case
(1.18 KB, text/html)
2011-07-13 14:12 PDT
,
Gavin Barraclough
no flags
Details
Correction to test case
(1.18 KB, text/html)
2011-07-13 14:19 PDT
,
Gavin Barraclough
no flags
Details
The patch
(51.94 KB, patch)
2011-07-14 12:45 PDT
,
Gavin Barraclough
oliver
: review-
Details
Formatted Diff
Diff
Fix for global object getter/setter properties, added test case & ASSERT in JSC::call to guard against global object being passed.
(55.65 KB, patch)
2011-07-14 15:30 PDT
,
Gavin Barraclough
oliver
: review-
Details
Formatted Diff
Diff
Added asserts, changed calls in WebCore/WebKit/WebKit2 to pass correct global object to call.
(66.98 KB, patch)
2011-07-15 12:00 PDT
,
Gavin Barraclough
oliver
: review+
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
Gavin Barraclough
Comment 1
2011-07-12 22:44:26 PDT
Trivially, the bug here is that JSGlobalObject doesn't set NeedsThisConversion. But just setting that may be a performance regression. (Will make us take unnecessary calls out in non-strict code). An alternative would be a NeedsStrictThisConversion flag, but it would probably be better to fix jsc so we no longer rely on this conversion to fix up scope objects once we're inside the call, and instead to pass the correct this object into functions in the first place.
Brendan Eich
Comment 2
2011-07-13 12:23:52 PDT
http://code.google.com/p/v8/issues/detail?id=1547
has a testcase in
comment 6
, correct ES5 output is "oooouuuu", Firefox does "ioiouuuu" for backward compat (but we would like to break that in a coordinated move by browser vendors, with site evangelism as needed). /be
Gavin Barraclough
Comment 3
2011-07-13 14:12:11 PDT
Created
attachment 100706
[details]
Updated test case
Gavin Barraclough
Comment 4
2011-07-13 14:19:21 PDT
Created
attachment 100709
[details]
Correction to test case
Gavin Barraclough
Comment 5
2011-07-13 14:37:09 PDT
(In reply to
comment #2
)
>
http://code.google.com/p/v8/issues/detail?id=1547
has a testcase in
comment 6
, correct ES5 output is "oooouuuu", Firefox does "ioiouuuu" for backward compat (but we would like to break that in a coordinated move by browser vendors, with site evangelism as needed). > > /be
Hey Brendan, Thanks for the test case. Just to confirm, the text in the test case seems to be incorrect in stating the expected result to be "iooouuuu", whereas my understanding agrees with your comment that the correct result should be "oooouuuu". I've expanded the test to cover 'with' behaviour. I'd expected that the correct this value to be passed in all cases of with statements should be the base object that the property is being accessed off, but looking at the spec (and Safari/FireFox behaviour!) this is incorrect, since the definition for the comma operator causes GetValue to be called on the reference. It would be great to get confirmation that my understanding here is correct! WRT to coordinating releases, that would be great. I'll probably fix this in ToT soon so we can start the bug finding /evangelism process. I think you guys have plans on a faster release cycle than we do right now - any idea when you'd expect to see this change in a release Firefox? many thanks, G.
Brendan Eich
Comment 6
2011-07-13 16:24:26 PDT
(In reply to
comment #5
)
> (In reply to
comment #2
) > >
http://code.google.com/p/v8/issues/detail?id=1547
has a testcase in
comment 6
, correct ES5 output is "oooouuuu", Firefox does "ioiouuuu" for backward compat (but we would like to break that in a coordinated move by browser vendors, with site evangelism as needed). > > > > /be > > Hey Brendan, > > Thanks for the test case. Just to confirm, the text in the test case seems to be incorrect in stating the expected result to be "iooouuuu", whereas my understanding agrees with your comment that the correct result should be "oooouuuu".
ES5 wants oooouuuu. Mark, upon hearing the full horror of the web compatibility constraint, wants iooouuuu (he wrote the test, I extended it to test the strict callee g). This is something Mark wants to allow strict callers to protect themselves from leaking the capability to their global object to non-strict callees. Firefox and IE do ioio.... (IE, even IE10pp, still does not handle strict mode correctly, so gives ioio for .... -- Firefox gives uuuu). For SpiderMonkey in Firefox, we avoided an extra test for strict caller and wound up with ioiouuuu. We could add the test to avoid the capability leak, but I just today expressed to mark my hope that we can all switch to oooouuuu without breaking the web (maybe with a bit of site evangelism).
> I've expanded the test to cover 'with' behaviour. I'd expected that the correct this value to be passed in all cases of with statements should be the base object that the property is being accessed off, but looking at the spec (and Safari/FireFox behaviour!) this is incorrect, since the definition for the comma operator causes GetValue to be called on the reference. It would be great to get confirmation that my understanding here is correct!
You are correct.
> WRT to coordinating releases, that would be great. I'll probably fix this in ToT soon so we can start the bug finding /evangelism process. I think you guys have plans on a faster release cycle than we do right now - any idea when you'd expect to see this change in a release Firefox?
Firefox 8, so since we shipped 5 and we ship every quarter, < 3 quarters from now -- early next year. Question is how many sites will test with our nightly, aurora (think a for alpha) and beta channels, which pipeline-stage every six weeks. But if we get you and V8 to do oooouuuu as well, then *maybe*. The IE share is the worry. /be
Gavin Barraclough
Comment 7
2011-07-14 12:45:41 PDT
Created
attachment 100846
[details]
The patch Perf tested okay, tested 32bit, 64bit, DFG & interpreter builds.
Oliver Hunt
Comment 8
2011-07-14 12:55:34 PDT
Comment on
attachment 100846
[details]
The patch Check behaviour of getters and setters on the global object, including the cached scenarios.
Gavin Barraclough
Comment 9
2011-07-14 15:30:57 PDT
Created
attachment 100875
[details]
Fix for global object getter/setter properties, added test case & ASSERT in JSC::call to guard against global object being passed.
Oliver Hunt
Comment 10
2011-07-14 15:39:55 PDT
Comment on
attachment 100875
[details]
Fix for global object getter/setter properties, added test case & ASSERT in JSC::call to guard against global object being passed. r=me
Oliver Hunt
Comment 11
2011-07-14 15:47:40 PDT
Comment on
attachment 100875
[details]
Fix for global object getter/setter properties, added test case & ASSERT in JSC::call to guard against global object being passed. I think badness can happen in ::execute(Program... ::execute(EvalNode
Gavin Barraclough
Comment 12
2011-07-15 12:00:06 PDT
Created
attachment 101020
[details]
Added asserts, changed calls in WebCore/WebKit/WebKit2 to pass correct global object to call.
WebKit Review Bot
Comment 13
2011-07-15 12:11:21 PDT
Attachment 101020
[details]
did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/JavaScriptCore/interpreter/Interpreter.h:100: The parameter name "scopeChain" adds no information, so it should be removed. [readability/parameter_name] [5] Total errors found: 1 in 45 files If any of these errors are false positives, please file a bug against check-webkit-style.
Oliver Hunt
Comment 14
2011-07-15 12:12:02 PDT
Comment on
attachment 101020
[details]
Added asserts, changed calls in WebCore/WebKit/WebKit2 to pass correct global object to call. r=me
Gavin Barraclough
Comment 15
2011-07-15 12:53:32 PDT
I've landed these changes in
r91095
, Now we just need be vigilant for compatibility issues. G.
Simon Fraser (smfr)
Comment 16
2011-07-16 20:33:55 PDT
This caused a bunch of new assertions on the bots:
http://build.webkit.org/results/Leopard%20Intel%20Debug%20(Tests)/r91161%20(32455)/http/tests/inspector/network/network-embed-crash-log.txt
Gavin Barraclough
Comment 17
2011-07-17 14:12:53 PDT
(In reply to
comment #16
)
> This caused a bunch of new assertions on the bots: >
http://build.webkit.org/results/Leopard%20Intel%20Debug%20(Tests)/r91161%20(32455)/http/tests/inspector/network/network-embed-crash-log.txt
Cheers Simon, missed those, will investigate.
Gavin Barraclough
Comment 18
2011-07-20 19:18:52 PDT
***
Bug 51097
has been marked as a duplicate of this bug. ***
Gavin Barraclough
Comment 19
2011-07-20 19:19:01 PDT
***
Bug 58338
has been marked as a duplicate of this bug. ***
Andrew Wason
Comment 20
2011-08-11 17:09:12 PDT
The isValidThisObject assert added to Source/JavaScriptCore/runtime/CallData.cpp breaks the Qt JS bridge signal connection functionality in debug builds.
http://doc.qt.nokia.com/latest/qtwebkit-bridge.html#signal-to-function-connections
See
bug 66097
.
Gavin Barraclough
Comment 21
2011-12-25 15:49:26 PST
***
Bug 11884
has been marked as a duplicate of this bug. ***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug