14237 2007-06-19 16:28:00 -0700 Javascript "var" statement interprets initialization in the topmost function scope 2007-07-14 10:10:12 -0700 1 1 1 Unclassified WebKit JavaScriptCore 523.x (Safari 3) Mac OS X 10.4 RESOLVED FIXED P2 Normal --- 1 kkowal webkit-unassigned ap brendan kkowal mrowe zwarich oldest_to_newest 7062 0 kkowal 2007-06-19 16:28:00 -0700 Javascript "var" statement interprets initialization in the topmost function scope. While the declaration must be interpreted in the topmost function scope, the initialization should be interpreted in the topmost scope. For example, the statement, {{{ var name = value; }}}, can be conceptually split into {{{ var name; }}} and {{{ name = value; }}}. The former statement is interpreted in the topmost function scope or the global scope if there are no function scopes on the scope chain. According to the ECMA 262 Edition 3 specification, the latter statement is interpreted in the topmost scope. The distinction is only apparent when a variable is declared inside a {with} block that has the same name as a variable in the topmost context. For example: {{{ with ({'a': 10}) { var a = 20 } }}}. This code exposes the flaw: {{{ if (this.alert) print = alert; var a = 10; print(a); /* should be 10; not an issue */ var object = {'a': 20}; with (object) { print(a); /* should be 20; so far no controversy */ var a = 30; /* "var a" is evaluated in the function scope and ignored, but "a = 30" gets evaluated in the topmost scope*/ print(object.a) /* should be 30, fails in Safari with an output of 20 */ print(a); /* should be 30, fails in Safari with an output of 20 */ } print(a); /* should be 10, fails in Safari with an output of 30 */ }}} Expected Results: 10 20 30 30 10 Actual Results: 10 20 20 20 30 NOTES: This bug is closely related to an _invalid_ bug I filed against Firefox's Javascript implementation wherein Brendan Eich settled several of my misconceptions about the "var" statement: https://bugzilla.mozilla.org/show_bug.cgi?id=383558 7057 1 15130 mrowe 2007-06-19 17:27:27 -0700 Created attachment 15130 Test case Test case. It passes in Camino 1.5, but not in Safari 3 beta. 4917 2 zwarich 2007-07-12 19:08:56 -0700 This is caused by the same issue as bug 13517 and is fixed by the proposed patch there. See bug 13517, comment #5 for an explanation. 4768 3 mrowe 2007-07-14 10:10:12 -0700 Bug 13517 was fixed in r24287, which means that this is also fixed. 15130 2007-06-19 17:27:27 -0700 2007-06-19 17:27:27 -0700 Test case bug-14237.htm text/html 1028 mrowe PGh0bWw+CjxoZWFkPgo8L2hlYWQ+Cjxib2R5PgogICAgPGRpdiBpZD0nY29uc29sZSc+PC9kaXY+ CjxzY3JpcHQgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiPgpmdW5jdGlvbiBsb2codmFsdWUpIHsKICAg IHZhciBjb25zb2xlID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2NvbnNvbGUnKTsKICAgIHZh ciBwID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgncCcpOwogICAgcC5hcHBlbmRDaGlsZChkb2N1 bWVudC5jcmVhdGVUZXh0Tm9kZSh2YWx1ZSkpOwogICAgY29uc29sZS5hcHBlbmRDaGlsZChwKTsK fQoKZnVuY3Rpb24gc2hvdWxkQmUoZXhwZWN0ZWQsIGFjdHVhbCkgewogICAgaWYgKGV4cGVjdGVk ICE9IGFjdHVhbCkKICAgICAgICBsb2coJ0V4cGVjdGVkICcgKyBleHBlY3RlZCArICcsIGdvdCAn ICsgYWN0dWFsICsgJy4nKTsKICAgIGVsc2UKICAgICAgICBsb2coJ0V4cGVjdGVkIGFuZCBnb3Qg JyArIGV4cGVjdGVkKTsKfQoKdmFyIGEgPSAxMDsKc2hvdWxkQmUoMTAsIGEpOyAvKiBzaG91bGQg YmUgMTA7IG5vdCBhbiBpc3N1ZSAqLwp2YXIgb2JqZWN0ID0geydhJzogMjB9Owp3aXRoIChvYmpl Y3QpIHsKICAgIHNob3VsZEJlKDIwLCBhKTsgLyogc2hvdWxkIGJlIDIwOyBzbyBmYXIgbm8gY29u dHJvdmVyc3kgKi8KICAgIHZhciBhID0gMzA7IC8qICJ2YXIgYSIgaXMgZXZhbHVhdGVkIGluIHRo ZSBmdW5jdGlvbiBzY29wZSBhbmQgaWdub3JlZCwgYnV0ICJhID0gMzAiIGdldHMgZXZhbHVhdGVk IGluIHRoZSB0b3Btb3N0IHNjb3BlKi8KICAgIHNob3VsZEJlKDMwLCBvYmplY3QuYSkgLyogc2hv dWxkIGJlIDMwLCBmYWlscyBpbiBTYWZhcmkgd2l0aCBhbiBvdXRwdXQgb2YgMjAgKi8KICAgIHNo b3VsZEJlKDMwLCBhKTsgLyogc2hvdWxkIGJlIDMwLCBmYWlscyBpbiBTYWZhcmkgd2l0aCBhbiBv dXRwdXQgb2YgMjAgKi8KfQpzaG91bGRCZSgxMCwgYSk7IC8qIHNob3VsZCBiZSAxMCwgZmFpbHMg aW4gU2FmYXJpIHdpdGggYW4gb3V0cHV0IG9mIDMwICovCjwvc2NyaXB0Pgo8Ym9keT4KPC9odG1s Pgo=