LibJS: Taint variable environment chain after non-strict direct eval()

Since non-strict direct eval() can insert new bindings into a surrounding var scope, we cannot safely cache some assumptions about environment chain layout after eval() has taken place. Since eval() is rare, let's do what other engines do and simply deoptimize in its presence. This patch adds a new "permanently screwed" flag to JS::Environment that will be set on the entire variable environment chain upon non-strict direct eval().
2025-07-27 10:27:35 +00:00 · 2021-10-07 11:36:44 +02:00 · 2021-10-07 11:36:44 +02:00 · 421845b0cd
commit 421845b0cd
parent 96a67d24e9
4 changed files with 24 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/Environment.h
+++ b/Userland/Libraries/LibJS/Runtime/Environment.h
@ -53,6 +53,11 @@ public:

    virtual char const* class_name() const override { return "Environment"; }

+    // This flag is set on the entire variable environment chain when direct eval() is performed.
+    // It is used to disable non-local variable access caching.
+    bool is_permanently_screwed_by_eval() const { return m_permanently_screwed_by_eval; }
+    void set_permanently_screwed_by_eval();
+
 protected:
    explicit Environment(Environment* parent);

@ -63,6 +68,8 @@ private:

    GlobalObject* m_global_object { nullptr };
    Environment* m_outer_environment { nullptr };
+
+    bool m_permanently_screwed_by_eval { false };
 };

 }