Updates:
Status: PendingFurtherInfo
Owner: LasseReichsteinHolstNielsen
Comment #4 on issue 981 by [email protected]: Primordial privilege
escalation from bad this-coercion
http://code.google.com/p/v8/issues/detail?id=981
I assume this ToObject conversion is referring to step 3 of the algorithm
in section 10.4.3 ("Entering Function Code"), but step 2 specifically
handles null or undefined by using the global object instead (in non-strict
code). This is reading tc39-2010-062-rev3.pdf (the Jan 3. 2011 version of
ES 5.1).
Function.prototype.call (15.3.4.4) itself doesn't convert the thisArg, and
the [[Call]] function (13.2.1) defers the initialization of the ThisBinding
to 10.4.3.
I.e., I can't see where we differ from the ES5.1 proposal.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
