1. 28 Feb, 2012 1 commit
    • barraclough@apple.com's avatar
      [[Get]]/[[Put]] for primitives should not wrap on strict accessor call · dca6b2ea
      barraclough@apple.com authored
      Reviewed by Oliver Hunt.
      In the case of [[Get]], this is a pretty trivial bug - just don't wrap
      primitives at the point you call a getter.
      For setters, this is a little more involved, since we have already wrapped
      the value up in a synthesized object. Stop doing so. There is also a further
      subtely, that in strict mode all attempts to create a new data property on
      the object should throw.
      * runtime/JSCell.cpp:
          - [[Put]] to a string primitive should use JSValue::putToPrimitive.
      * runtime/JSObject.cpp:
          - Remove static function called in one place.
      * runtime/JSObject.h:
          - [[Put]] to a non-cell JSValue should use JSValue::putToPrimitive.
      * runtime/JSValue.cpp:
          - Add support for synthesizing the prototype of strings.
          - Added, implements [[Put]] for primitive bases, per 8.7.2.
      * runtime/JSValue.h:
          - Add declaration for JSValue::putToPrimitive.
      * runtime/PropertySlot.cpp:
          - Don't call ToObject on primitive this values.
      * fast/js/mozilla/strict/
      * fast/js/primitive-property-access-edge-cases-expected.txt:
      * fast/js/read-modify-eval-expected.txt:
      * fast/js/script-tests/primitive-property-access-edge-cases.js:
      * fast/js/script-tests/read-modify-eval.js:
          - Added new test cases & updated test results.
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@109177 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  2. 16 Jul, 2011 1 commit
    • barraclough@apple.com's avatar
      https://bugs.webkit.org/show_bug.cgi?id=64657 · 1b14205f
      barraclough@apple.com authored
      Converted this value not preserved when accessed via direct eval.
      Reviewed by Oliver Hunt.
      Upon entry into a non-strict function, primitive this values should be boxed as Object types
      (or substituted with the global object) - which is done by op_convert_this. However we only
      do so where this is used lexically within the function (we omit the conversion op if not).
      The problem comes if a direct eval (running within the function's scope) accesses the this
      We are safe in the case of a single eval, since the this object will be converted within
      callEval, however the converted value is not preserved, and a new wrapper object is allocated
      each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
      object will be lost between eval statements.
      * bytecompiler/BytecodeGenerator.cpp:
          - If a function uses eval, we always need to convert this.
      * interpreter/Interpreter.cpp:
          - Don't convert primitive values here - this is too late!
          - Changed op_convert_this to call new isPrimitive method.
      * jit/JITStubs.cpp:
          - Changed op_convert_this to call new isPrimitive method.
      * runtime/JSCell.h:
          - Added JSValue::isPrimitive.
      * runtime/JSValue.h:
          - Added JSValue::isPrimitive.
      Added test case.
      * fast/js/read-modify-eval-expected.txt:
      * fast/js/script-tests/read-modify-eval.js:
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@91164 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  3. 05 Feb, 2008 1 commit