-
barraclough@apple.com authored
Converted this value not preserved when accessed via direct eval. Reviewed by Oliver Hunt. Source/JavaScriptCore: Upon entry into a non-strict function, primitive this values should be boxed as Object types (or substituted with the global object) - which is done by op_convert_this. However we only do so where this is used lexically within the function (we omit the conversion op if not). The problem comes if a direct eval (running within the function's scope) accesses the this value. We are safe in the case of a single eval, since the this object will be converted within callEval, however the converted value is not preserved, and a new wrapper object is allocated each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper object will be lost between eval statements. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): - If a function uses eval, we always need to convert this. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): - Don't convert primitive values here - this is too late! (JSC::Interpreter::privateExecute): - Changed op_convert_this to call new isPrimitive method. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Changed op_convert_this to call new isPrimitive method. * runtime/JSCell.h: (JSC::JSCell::JSValue::isPrimitive): - Added JSValue::isPrimitive. * runtime/JSValue.h: - Added JSValue::isPrimitive. LayoutTests: Added test case. * fast/js/read-modify-eval-expected.txt: * fast/js/script-tests/read-modify-eval.js: (primitiveThisTest): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@91164 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1b14205f