Created attachment 128896 [details] Test cases See attached TC. The special [[Get]]/[[Put]] defined in ES5.1 §8.7 calls accessors with the primitive value as thisArg; in the non-strict accessor case §10.4.3 calls ToObject on thisArg before entering the function code, whereas in the strict accessor case thisArg is passed through untouched (i.e., as a primitive). Currently SM (730632), JSC, and Carakan (CORE-44789) all always wrap, V8 never does (about to be reported).
Ugh, yes. Should be a relatively easy fix, thanks for the bug report!
I think there is a second, related bug here. Following through the spec, the behavior described in this bug arises from how primitives are handled as the bases of references, in section 8.7. In the case of access to a data property, in strict mode a put should always throw rather than creating a new value on a transient object.
Created attachment 129362 [details] Fix
Fixed in r109177
*** Bug 79843 has been marked as a duplicate of this bug. ***