Bug 64657 - Converted this value not preserved when accessed via direct eval.
Summary: Converted this value not preserved when accessed via direct eval.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL: javascript:function f(x) { eval("this...
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-16 15:00 PDT by Gavin Barraclough
Modified: 2011-07-16 22:05 PDT (History)
0 users

See Also:


Attachments
Preliminary patch, need ChangeLog & layout test. (3.27 KB, patch)
2011-07-16 15:54 PDT, Gavin Barraclough
no flags Details | Formatted Diff | Diff
The patch, with layout test & correct strict mode behaviour (8.26 KB, patch)
2011-07-16 17:30 PDT, Gavin Barraclough
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gavin Barraclough 2011-07-16 15:00:51 PDT
Upon entry into a non-strcict function primitive types should be boxed as an Object type - which we do using op_convert_this.  However we omit to convert this where this is not used within the function.  The problem comes if a direct eval (running within the function's scope) accesses this.  We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and is freshly converted each time eval is invoked.  This is inefficient and incorrect, since any changes to this will be lost between eval statements.
Comment 1 Gavin Barraclough 2011-07-16 15:52:47 PDT
Lemme try that description thing again.

Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this.  However we only do so where this is used lexically within the function (we omit the conversion op if not).  The problem comes if a direct eval (running within the function's scope) accesses the this value.

We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked.  This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements.
Comment 2 Gavin Barraclough 2011-07-16 15:54:06 PDT
Created attachment 101103 [details]
Preliminary patch, need ChangeLog & layout test.
Comment 3 Gavin Barraclough 2011-07-16 17:30:16 PDT
Created attachment 101106 [details]
The patch, with layout test & correct strict mode behaviour
Comment 4 Gavin Barraclough 2011-07-16 22:05:13 PDT
Fixed in r91164