Upon entry into a non-strcict function primitive types should be boxed as an Object type - which we do using op_convert_this. However we omit to convert this where this is not used within the function. The problem comes if a direct eval (running within the function's scope) accesses this. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and is freshly converted each time eval is invoked. This is inefficient and incorrect, since any changes to this will be lost between eval statements.
Lemme try that description thing again. Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this. However we only do so where this is used lexically within the function (we omit the conversion op if not). The problem comes if a direct eval (running within the function's scope) accesses the this value. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements.
Created attachment 101103 [details] Preliminary patch, need ChangeLog & layout test.
Created attachment 101106 [details] The patch, with layout test & correct strict mode behaviour
Fixed in r91164