Closed Bug 600225 Opened 9 years ago Closed 9 years ago

obj_eval treats indirect eval via Array.map as direct

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 604504

People

(Reporter: jorendorff, Unassigned)

Details

Spun off from bug 600193.

var f = eval;
eval = Array.map;
var x = 1;
function g(x) {
    return eval(["x"], f);
}
assertEq(g(2)[0], 1);


Note that what g is doing is actually `Array.map(["x"], eval)`. This causes Array.map to call eval. The call should be treated as an indirect eval, and thus return the global x. It's treated as direct and returns the argument x.
A possible answer is for JSOP_EVAL to have a bit of extra code, checking for direct eval, before it falls through to JSOP_CALL.

(In case of direct eval, we would call a special js::DirectEval function instead of falling through; all calls via the actual JSNative would get indirect eval. Of course DirectEval and obj_eval would continue to share most of the actual implementation.)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 604504
You need to log in before you can comment on or make changes to this bug.