[Webkit-unassigned] [Bug 64657] New: Converted this value not preserved when accessed via direct eval.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jul 16 15:00:50 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64657
Summary: Converted this value not preserved when accessed via
direct eval.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: javascript:function f(x) { eval("this.x = 2");
eval("alert(this.x)"); } f.call(1);
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
Upon entry into a non-strcict function primitive types should be boxed as an Object type - which we do using op_convert_this. However we omit to convert this where this is not used within the function. The problem comes if a direct eval (running within the function's scope) accesses this. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and is freshly converted each time eval is invoked. This is inefficient and incorrect, since any changes to this will be lost between eval statements.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list