Closed Bug 735161 Opened 14 years ago Closed 13 years ago

Method JIT allows assignment to undeclared in ES5 strict mode code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: jruderman, Assigned: bhackett1024)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

patch
1.49 KB, patch
dvander
: review+
Details | Diff | Splinter Review
var obj = {valueOf: function() { "use strict"; undeclared = 7; }}; try { '' + obj; print("FAIL 1"); } catch(e) { } try { '' + obj; print("FAIL 2"); } catch(e) { } if ("undeclared" in this) print("FAIL 3"); ./js (no output; PASS) ./js -m -a FAIL 2, FAIL 3
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 81258:f852758f39d1 user: Brian Hackett date: Thu Oct 13 20:21:36 2011 -0700 summary: Move JSObject::parent to BaseShape, bug 638316.
Blocks: 638316
Keywords: regression
Attached patch patchSplinter Review
autoBisect is wrong, this bug is older. The PIC generation for ADDPROP wasn't checking for undeclared vars under SETNAME, this patch disables the PIC in such cases.
Assignee: general → bhackett1024
Attachment #605407 - Flags: review?(dvander)
Attachment #605407 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/9c1d8c86c3cd
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: