[Webkit-unassigned] [Bug 182074] JSC incorrectly interpreting script as JSON

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 24 17:18:52 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=182074

--- Comment #5 from Joseph Pecoraro <joepeck at webkit.org> ---
The test file can be reduced to just:

    foo = "test";

And in JSC:

    jsc> let foo = null;
    jsc> load("test.js")
    "root"

    jsc> foo // should be "root"
    null

    jsc> this.foo
    "root"

It looks like LiteralParser gathers a set of JSONP operations. For example:

    foo = "test"; bar=5

Would be something like:

    {
       type: JSONPPathEntryTypeDot,
       name: "foo",
       value: JSValue("test")
    }
    {
       type: JSONPPathEntryTypeDot,
       name: "bar",
       value: JSValue(5)
    }

And Interpreter::executeProgram attempts to apply the JSONPData operations. In this case treating the Dot like `global.foo = "test"` and `global.bar = 5`.

Though it uses the `globalObject` as the baseObject for assignments.

>     JSValue baseObject(globalObject);
>     for (unsigned i = 0; i < JSONPPath.size() - 1; i++) {
>         ASSERT(JSONPPath[i].m_type != JSONPPathEntryTypeDeclare);
>         switch (JSONPPath[i].m_type) {
>         case JSONPPathEntryTypeDot: {
>             if (i == 0) {
>                 PropertySlot slot(globalObject, PropertySlot::InternalMethodType::Get);
>                 if (!globalObject->getPropertySlot(callFrame, JSONPPath[i].m_pathEntryName, slot)) {
>                     RETURN_IF_EXCEPTION(throwScope, JSValue());
>                     if (entry)
>                         return throwException(callFrame, throwScope, createUndefinedVariableError(callFrame, JSONPPath[i].m_pathEntryName));
>                     goto failedJSONP;
>                 }
>                 baseObject = slot.getValue(callFrame, JSONPPath[i].m_pathEntryName);
>             } else
>                 baseObject = baseObject.get(callFrame, JSONPPath[i].m_pathEntryName);
>             RETURN_IF_EXCEPTION(throwScope, JSValue());
>             continue;
>         }

It seems like using the GlobalObject misses the GlobalLexicalEnvironment containing the `let` variables.

And indeed that is confirmed by `global.foo` being "root", but just `foo` being `null`.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180125/21fd7b2c/attachment.html>


More information about the webkit-unassigned mailing list