archives

« Bugzilla Issues Index

#79 — assertion in 10.2.1.1.3 step 2 is incorrect

• bug_id: 79
• creation_ts: 2011-03-21 12:22:00 -0700
• short_desc: assertion in 10.2.1.1.3 step 2 is incorrect
• delta_ts: 2015-10-02 14:32:59 -0700
• product: ECMA-262, Editions 5 and 5.1
• component: technical content
• version: Edition 5.1
• rep_platform: All
• op_sys: All
• bug_status: RESOLVED
• resolution: FIXED
• bug_severity: normal
• blocked: 159
• everconfirmed: true
• reporter: Allen Wirfs-Brock
• assigned_to: Allen Wirfs-Brock

---

• commentid: 166
• comment_count: 0
• who: Allen Wirfs-Brock
• bug_when: 2011-03-21 12:22:22 -0700

from: https://mail.mozilla.org/pipermail/es5-discuss/2010-November/003839.html

In answering some questions about how SpiderMonkey implements assignment in the face of crazy concerns like those raised in the "Assigning to globals in strict mode" thread, I wrote this example to demonstrate the precise semantics specified and implemented:

var x = "global";
function fun(s) { eval(s); return function(s) { return eval(s); }; }
var closure = fun("var x = 'local'; x = (delete x, 'overwrite');");
assert(x === "global");
assert(closure("x") === "overwrite");

When I went to verify our behavior/implementation conforms to ES5, I discovered that ES5 asserts this situation to be impossible!

eval calls CreateMutableBinding for x. The binding is configurable because it is introduced by eval code. The assignment to x starts by evaluating x to a Reference rx whose base is the lexical environment for the call to fun and whose name is "x". Next we evaluate the right-hand side, along the way calling DeleteBinding for x and successfully removing that binding because it was configurable. The assignment algorithm completes by calling PutValue(rx, "overwrite"). Step 5 of PutValue calls SetMutableBinding on the lexical environment. Step 2 of SetMutableBinding asserts that a binding for x already exists -- but it doesn't because we deleted it!

ES5 can't assert the binding exists. SpiderMonkey, when it assigns to a deleted binding, appears to reintroduce a configurable, mutable binding:

[jwalden at find-waldo-now src]$ dbg/js
js> var x = "global";
js> function foo(s) { eval(s); return function(s) { return eval(s); }; }
js> var closure = foo("var x = 'local'; " +
"x = (delete x, 'overwrite'); " +
"print(x); " +
"delete x; " +
"print(x); " +
"eval('var x = \"local2\";'); " +
"print(x);")
overwrite
global
local2

Thus I *think* the right change (awful as it is) is to replace step 2 with:

2. If envRec does not have a binding for N, call CreateMutableBinding(N, true).

and perhaps add a note to the end of the algorithm explaining how this can occur. But I could well be missing something here -- please poke holes in my suggestion. :-)

Jeff

---

• commentid: 167
• comment_count: 1
• who: Allen Wirfs-Brock
• bug_when: 2011-03-21 12:23:14 -0700

I agree. This solution seems consistent with the ES3 specified behavior.
We weren't intentionally trying to change the ES3 behavior in this regard.

Allen

---

• commentid: 587
• comment_count: 2
• who: Allen Wirfs-Brock
• bug_when: 2012-01-12 12:30:03 -0800

set IN_PROGRESS to indicated this should go into ES5.1 Errata.

---

• commentid: 14722
• comment_count: 3
• who: Brian Terlson
• bug_when: 2015-10-02 14:32:59 -0700

Bulk resolving ES5.1 errata issues as a sampling suggests these are all fixed. If this is in error, please open a new issue on GitHub.