[quickjs-devel] Re: A possible issue about the scope of variable in QuickJS

From: Ondřej Jirman <deibeemoocheuguhumoh@xxxxxx>
To: quickjs-devel@xxxxxxxxxxxxx
Date: Fri, 6 Sep 2019 17:59:39 +0200

Hi,

On Fri, Sep 06, 2019 at 04:22:40PM +0200, Mario Gliewe wrote:

very funny,  seems to be specific to the eval() function..

i tried the following, which passed ok:

--snip--

let evil=666;
function test1(evil) {
        console.log('the evil is ',evil);
        eval('console.log("the evil is ",evil)');
}
function test2() {
        test1(42);
};
test2();

function test3(Object) {
        console.log('Object is ', Object);
}
function test4() {
        console.log('Object is ', Object);
}
function test5() {
        test3(' void');
};
test4();
test5();

--snap--

It's due to special handling in js_parse_postfix_expr. If it's named eval,
it will do eval, no matter what. And this is decided at parse time and not
during execution:

            if (call_type == FUNC_CALL_NORMAL) {
            parse_func_call:
                switch(opcode = get_prev_opcode(fd)) {
                case OP_get_field:
                    /* keep the object on the stack */
                    fd->byte_code.buf[fd->last_opcode_pos] = OP_get_field2;
                    break;
                case OP_scope_get_private_field:
                    /* keep the object on the stack */
                    fd->byte_code.buf[fd->last_opcode_pos] =
OP_scope_get_private_field2;
                    break;
                case OP_get_array_el:
                    /* keep the object on the stack */
                    fd->byte_code.buf[fd->last_opcode_pos] = OP_get_array_el2;
                    break;
                case OP_scope_get_var:
                    {
                        JSAtom name;
                        int scope;
                        name = get_u32(fd->byte_code.buf + fd->last_opcode_pos
+ 1);
                        scope = get_u16(fd->byte_code.buf + fd->last_opcode_pos
+ 5);
here >>>                if (name == JS_ATOM_eval && call_type ==
FUNC_CALL_NORMAL) {
                            /* direct 'eval' */
                            JS_FreeAtom(s->ctx, name);
                            fd->byte_code.size = fd->last_opcode_pos;
                            fd->last_opcode_pos = -1;
                            opcode = OP_eval;
                        } else {
                            /* verify if function name resolves to a simple
                               get_loc/get_arg: a function call inside a `with`
                               statement can resolve to a method call of the
                               `with` context object

regards,
        o.

greets

maG

On 06.09.19 14:35, 姚厚友 wrote:

Dear Sir or Madam:
  I have a doubt about QuickJS, the detailed description is as follows:

## version: quickjs-2019-08-18

## Testcase:
var NISLFuzzingFunc = function(eval) {
    print(eval("print(false);"));
};
var NISLParameter1 = function() {
    print("run to NISLParameter1");
    return true;
};
NISLFuzzingFunc(NISLParameter1);

## Command:
./ quickjs-2019-08-18/qjs testcase.js

## Output:
false
undefined

## Expected output:
run to NISLParameter1
true

## Description:
    In the testcase above, "eval"（Line 2） should be the formal
parameter "eval", but QuickJS treats it as a global object "eval".
According to the scope of variable, I think this may be a bug in QuickJS.
    Do you think so? Looking forward to your reply.

your faithfully
houyou yao

Follow-Ups:
- [quickjs-devel] Re: A possible issue about the scope of variable in QuickJS
  - From: Ondřej Jirman

References:
- [quickjs-devel] A possible issue about the scope of variable in QuickJS
  - From: ??????
- [quickjs-devel] Re: A possible issue about the scope of variable in QuickJS
  - From: Mario Gliewe

[quickjs-devel] Re: A possible issue about the scope of variable in QuickJS

Other related posts: