Changeset 90938 in webkit

Timestamp:

Jul 13, 2011 11:59:34 AM (13 years ago)

Author:

barraclough@apple.com

Message:

​https://bugs.webkit.org/show_bug.cgi?id=64424
Our direct eval behaviour deviates slightly from the spec.

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
may be introduced into the caller's environment.

ES5 direct calls are any call where the callee function is provided by a reference, a base
of that Reference is an EnvironmentRecord (this corresponds to all productions
"PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
of the reference is "eval". This means any expression of the form "eval(...)", and that
calls the standard built in eval method from on the Global Object, is considered to be
direct.

In JavaScriptCore we are currently overly restrictive. We also check that the
EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
that hits a var eval in a nested scope is not considered to be direct. This behaviour does
not emanate from the spec, and is incorrect.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• Fixed direct eval check in op_call_eval.

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• Fixed direct eval check in op_call_eval.

• runtime/Executable.h:

(JSC::isHostFunction):

• Added check for host function with specific NativeFunction.

LayoutTests:

Correct expected results.

• fast/js/eval-keyword-vs-function-expected.txt:
• fast/js/eval-keyword-vs-function.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/eval-keyword-vs-function-expected.txt (modified) (3 diffs)
• LayoutTests/fast/js/eval-keyword-vs-function.html (modified) (3 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Executable.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-07-12  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64424
+        Our direct eval behaviour deviates slightly from the spec.
+
+        Reviewed by Oliver Hunt.
+
+        Correct expected results.
+
+        * fast/js/eval-keyword-vs-function-expected.txt:
+        * fast/js/eval-keyword-vs-function.html:
+
 2011-07-13  Abhishek Arya  <inferno@chromium.org>
 

trunk/LayoutTests/fast/js/eval-keyword-vs-function-expected.txt

@@ -13 +13 @@
 PASS: globalEval("x") should be 0 and is.
 PASS: localEval("x") should be 0 and is.
-PASS: (function() { var eval = window.eval; return eval("x"); })() should be 0 and is.
+PASS: (function() { var eval = window.eval; return eval("x"); })() should be 1 and is.
 
 ----- Variable Object: -----
@@ -21 +21 @@
 PASS: globalEval("var y; "y" in window") should be true and is.
 PASS: localEval("var y; "y" in window") should be true and is.
-PASS: (function() { var eval = window.eval; return eval("var y; "y" in window"); })() should be true and is.
+PASS: (function() { var eval = window.eval; return eval("var y; "y" in window"); })() should be false and is.
 
 ----- Scope Chain for Setters: -----
@@ -29 +29 @@
 PASS: globalEval("z = 3; window.z") should be 3 and is.
 PASS: localEval("z = 4; window.z") should be 4 and is.
-PASS: (function() { var eval = window.eval; return eval("z = 5; window.z"); })() should be 5 and is.
+PASS: (function() { var eval = window.eval; return eval("z = 5; window.z"); })() should be 4 and is.
 
 ----- This Object: -----

trunk/LayoutTests/fast/js/eval-keyword-vs-function.html

@@ -44 +44 @@
     shouldBe('globalEval("x")', globalEval("x"), 0);
     shouldBe('localEval("x")', localEval("x"), 0);
-    shouldBe('(function() { var eval = window.eval; return eval("x"); })()', (function() { var eval = window.eval; return eval("x"); })(), 0);
+
+    // Per ES5 15.1.2.11 & 10.2.2.1 any reference that hits an enviromment record (i.e. does not have a base)
+    // and has a reference name of "eval" is treated as a direct eval - the assignment to a var makes no difference.
+    shouldBe('(function() { var eval = window.eval; return eval("x"); })()', (function() { var eval = window.eval; return eval("x"); })(), 1);
 }
 
@@ -63 +66 @@
     delete window.y;
     
-    shouldBe('(function() { var eval = window.eval; return eval("var y; \"y\" in window"); })()', (function() { var eval = window.eval; return eval("var y; \"y\" in window"); })(), true);
+    // Per ES5 15.1.2.11 & 10.2.2.1 any reference that hits an enviromment record (i.e. does not have a base)
+    // and has a reference name of "eval" is treated as a direct eval - the assignment to a var makes no difference.
+    shouldBe('(function() { var eval = window.eval; return eval("var y; \"y\" in window"); })()', (function() { var eval = window.eval; return eval("var y; \"y\" in window"); })(), false);
 }
 
@@ -80 +85 @@
     shouldBe('localEval("z = 4; window.z")', localEval("z = 4; window.z"), 4);
 
-    shouldBe('(function() { var eval = window.eval; return eval("z = 5; window.z"); })()', (function() { var eval = window.eval; return eval("z = 5; window.z"); })(), 5);
+    // Per ES5 15.1.2.11 & 10.2.2.1 any reference that hits an enviromment record (i.e. does not have a base)
+    // and has a reference name of "eval" is treated as a direct eval - the assignment to a var makes no difference.
+    shouldBe('(function() { var eval = window.eval; return eval("z = 5; window.z"); })()', (function() { var eval = window.eval; return eval("z = 5; window.z"); })(), 4);
 }
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-12  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64424
+        Our direct eval behaviour deviates slightly from the spec.
+
+        Reviewed by Oliver Hunt.
+
+        The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
+        behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
+        or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
+        may be introduced into the caller's environment.
+
+        ES5 direct calls are any call where the callee function is provided by a reference, a base
+        of that Reference is an EnvironmentRecord (this corresponds to all productions
+        "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
+        of the reference is "eval". This means any expression of the form "eval(...)", and that
+        calls the standard built in eval method from on the Global Object, is considered to be
+        direct.
+
+        In JavaScriptCore we are currently overly restrictive. We also check that the
+        EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
+        at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
+        that hits a var eval in a nested scope is not considered to be direct. This behaviour does
+        not emanate from the spec, and is incorrect.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+            - Fixed direct eval check in op_call_eval.
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+            - Fixed direct eval check in op_call_eval.
+        * runtime/Executable.h:
+        (JSC::isHostFunction):
+            - Added check for host function with specific NativeFunction.
+
 2011-07-13  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -4100 +4100 @@
         JSValue funcVal = callFrame->r(func).jsValue();
 
-        Register* newCallFrame = callFrame->registers() + registerOffset;
-        Register* argv = newCallFrame - RegisterFile::CallFrameHeaderSize - argCount;
-        JSValue thisValue = argv[0].jsValue();
-        JSGlobalObject* globalObject = callFrame->scopeChain()->globalObject.get();
-
-        if (thisValue == globalObject && funcVal == globalObject->evalFunction()) {
+        if (isHostFunction(callFrame->globalData(), funcVal, globalFuncEval)) {
+            Register* newCallFrame = callFrame->registers() + registerOffset;
+            Register* argv = newCallFrame - RegisterFile::CallFrameHeaderSize - argCount;
+
             JSValue result = callEval(callFrame, registerFile, argv, argCount, registerOffset);
             if ((exceptionValue = globalData->exception))

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -3160 +3160 @@
     int argCount = stackFrame.args[2].int32();
 
+    if (!isHostFunction(callFrame->globalData(), funcVal, globalFuncEval))
+        return JSValue::encode(JSValue());
+
     Register* newCallFrame = callFrame->registers() + registerOffset;
     Register* argv = newCallFrame - RegisterFile::CallFrameHeaderSize - argCount;
-    JSValue baseValue = argv[0].jsValue();
-    JSGlobalObject* globalObject = callFrame->scopeChain()->globalObject.get();
-
-    if (baseValue == globalObject && funcVal == globalObject->evalFunction()) {
-        JSValue result = interpreter->callEval(callFrame, registerFile, argv, argCount, registerOffset);
-        CHECK_FOR_EXCEPTION_AT_END();
-        return JSValue::encode(result);
-    }
-
-    return JSValue::encode(JSValue());
+
+    JSValue result = interpreter->callEval(callFrame, registerFile, argv, argCount, registerOffset);
+    CHECK_FOR_EXCEPTION_AT_END();
+    return JSValue::encode(result);
 }
 

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -515 +515 @@
         return static_cast<NativeExecutable*>(m_executable.get())->function();
     }
+
+    inline bool isHostFunction(JSGlobalData& globalData, JSValue value, NativeFunction nativeFunction)
+    {
+        JSFunction* function = static_cast<JSFunction*>(getJSFunction(globalData, value));
+        if (!function || !function->isHostFunction())
+            return false;
+        return function->nativeFunction() == nativeFunction;
+    }
+
 }