mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 19:37:35 +00:00
LibJS: Taint variable environment chain after non-strict direct eval()
Since non-strict direct eval() can insert new bindings into a surrounding var scope, we cannot safely cache some assumptions about environment chain layout after eval() has taken place. Since eval() is rare, let's do what other engines do and simply deoptimize in its presence. This patch adds a new "permanently screwed" flag to JS::Environment that will be set on the entire variable environment chain upon non-strict direct eval().
This commit is contained in:
parent
96a67d24e9
commit
421845b0cd
4 changed files with 24 additions and 1 deletions
|
@ -444,6 +444,13 @@ ThrowCompletionOr<Value> perform_eval(Value x, GlobalObject& caller_realm, Calle
|
|||
if (strict_eval)
|
||||
variable_environment = lexical_environment;
|
||||
|
||||
if (direct == EvalMode::Direct && !strict_eval) {
|
||||
// NOTE: Non-strict direct eval() forces us to deoptimize variable accesses.
|
||||
// Mark the variable environment chain as screwed since we will not be able
|
||||
// to rely on cached environment coordinates from this point on.
|
||||
variable_environment->set_permanently_screwed_by_eval();
|
||||
}
|
||||
|
||||
// 18. If runningContext is not already suspended, suspend runningContext.
|
||||
// FIXME: We don't have this concept yet.
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue