[Webkit-unassigned] [Bug 182074] JSC incorrectly interpreting script as JSON
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 24 17:18:52 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=182074
--- Comment #5 from Joseph Pecoraro <joepeck at webkit.org> ---
The test file can be reduced to just:
foo = "test";
And in JSC:
jsc> let foo = null;
jsc> load("test.js")
"root"
jsc> foo // should be "root"
null
jsc> this.foo
"root"
It looks like LiteralParser gathers a set of JSONP operations. For example:
foo = "test"; bar=5
Would be something like:
{
type: JSONPPathEntryTypeDot,
name: "foo",
value: JSValue("test")
}
{
type: JSONPPathEntryTypeDot,
name: "bar",
value: JSValue(5)
}
And Interpreter::executeProgram attempts to apply the JSONPData operations. In this case treating the Dot like `global.foo = "test"` and `global.bar = 5`.
Though it uses the `globalObject` as the baseObject for assignments.
> JSValue baseObject(globalObject);
> for (unsigned i = 0; i < JSONPPath.size() - 1; i++) {
> ASSERT(JSONPPath[i].m_type != JSONPPathEntryTypeDeclare);
> switch (JSONPPath[i].m_type) {
> case JSONPPathEntryTypeDot: {
> if (i == 0) {
> PropertySlot slot(globalObject, PropertySlot::InternalMethodType::Get);
> if (!globalObject->getPropertySlot(callFrame, JSONPPath[i].m_pathEntryName, slot)) {
> RETURN_IF_EXCEPTION(throwScope, JSValue());
> if (entry)
> return throwException(callFrame, throwScope, createUndefinedVariableError(callFrame, JSONPPath[i].m_pathEntryName));
> goto failedJSONP;
> }
> baseObject = slot.getValue(callFrame, JSONPPath[i].m_pathEntryName);
> } else
> baseObject = baseObject.get(callFrame, JSONPPath[i].m_pathEntryName);
> RETURN_IF_EXCEPTION(throwScope, JSValue());
> continue;
> }
It seems like using the GlobalObject misses the GlobalLexicalEnvironment containing the `let` variables.
And indeed that is confirmed by `global.foo` being "root", but just `foo` being `null`.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180125/21fd7b2c/attachment.html>
More information about the webkit-unassigned
mailing list