As mentioned in a recent email, Figma, a web-based tool for interface
design, is using QuickJS compiled to WebAssembly as the JS engine for
running plugins.
We recently discovered that the way that QuickJS handles direct eval does
not follow the ECMAScript spec.
Specifically, the following JS code should *not* call direct eval, but
rather should call the `myEval` function.
let eval = function(s) { return 'hi ' + s }
eval("1+2") // should return 'hi 1+2'
It appears that QuickJS currently treats any function call using the 'eval'
identifier as a call to direct eval. My reading of the ES5[1] and ES6[2] is
that the code above should call the provided function, rather than
performing a direct eval. This appears to also match what the JS engine in
browsers do.
Unfortunately this can be true in strict mode too, if there are containing
scopes that were parsed in non-strict mode. For example
let eval = function(s) { return 'hi ' + s }
function main() {
"use strict";
eval("1+2") // should return 'hi 1+2'
}
main()
[1] http://www.ecma-international.org/ecma-262/5.1/#sec-10.4.2
[2]
http://www.ecma-international.org/ecma-262/6.0/#sec-function-calls-runtime-semantics-evaluation
/ Jonas
