Function("return function() { eval(''); return anonymous; }")()() should throw a ReferenceError

RESOLVED FIXED in Firefox 53

Status

()

defect
--
minor
RESOLVED FIXED
9 years ago
3 years ago

People

(Reporter: Waldo, Assigned: arai)

Tracking

unspecified
mozilla53
Points:
---

Firefox Tracking Flags

(firefox53 fixed)

Details

()

Attachments

(1 attachment, 1 obsolete attachment)

We give Function()-created functions the name "anonymous" for stringification purposes.  That behavior's pretty much an ipse dixit at this point.  But as a side effect, this makes the name "anonymous", if not optimized, evaluate to the Function()-created function in the function's code.

Here's correct behavior from jsc:

[jwalden@find-waldo-now ~]$ run-jsc
> Function("return function() { eval(''); return anonymous; }")    
function anonymous() { return function() { eval(''); return anonymous; }
}
> Function("return function() { eval(''); return anonymous; }")()  
function () { eval(''); return anonymous; }
> Function("return function() { eval(''); return anonymous; }")()()
Exception: ReferenceError: Can't find variable: anonymous

Here's our incorrect behavior:

[jwalden@find-waldo-now ~]$ ~/moz/js-tm/js/src/dbg/js
js> Function("return function() { eval(''); return anonymous; }")
(function anonymous() {return function () {eval("");return anonymous;};})
js> Function("return function() { eval(''); return anonymous; }")()
(function () {eval("");return anonymous;})
js> Function("return function() { eval(''); return anonymous; }")()()
(function anonymous() {return function () {eval("");return anonymous;};})
js> Function("return function() { eval(''); return anonymous; }")()()()
(function () {eval("");return anonymous;})

Thanks to jorendorff for pointing out the key to this when inquiring about how a function in Function() code could have an "Object" (DeclEnv, but clasp->name is "Object") on its scope chain.
Spurred on by atom/displayAtom discussion today, I had this idea I could set "anonymous" as the display name and that that would turn off Function()'s "anonymous" name appearing in the scope chain.  It does.  But it also makes Function().name === "".  Spur-of-the-moment hack fail, back on the back burner again.
Assignee: general → nobody
See Also: → 755821
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
This patch is based on bug 755821.

We create named lambda scope in Parser::finishFunctionScopes, when |funbox->function()->isNamedLambda()| is true.
this condition matches to a function created by Function ctor, that's the reason why it gets wrong scope with the name binding.
So, added extra parameter |isStandaloneFunction|, and avoid creating the scope if it's true.

Also added a testcase for binding with JS::CompileFunction in testFunctionBinding.cpp.
The test passes with and without this patch, so it keeps current behavior (no binding is created)
Attachment #762931 - Attachment is obsolete: true
Attachment #8813443 - Flags: review?(till)
Comment on attachment 8813443 [details] [diff] [review]
Do not create named lambda binding for a function created by Function constructor.

Review of attachment 8813443 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not too happy about the "isStandaloneFunction" parameter name. I also don't have any suggestions for a better name, so let's go with that.
Attachment #8813443 - Flags: review?(till) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/1e932a9badfac50e6dcfa4a4da395c7644cbc73a
Bug 636635 - Do not create named lambda binding for a function created by Function constructor. r=till
https://hg.mozilla.org/mozilla-central/rev/1e932a9badfa
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.