Skip to content

fix: deep clone scope in FunctionEnvironment to prevent variable leak…#5339

Open
yush-1018 wants to merge 5 commits into
boa-dev:mainfrom
yush-1018:fix/eval-variable-leakage
Open

fix: deep clone scope in FunctionEnvironment to prevent variable leak…#5339
yush-1018 wants to merge 5 commits into
boa-dev:mainfrom
yush-1018:fix/eval-variable-leakage

Conversation

@yush-1018
Copy link
Copy Markdown
Contributor

@yush-1018 yush-1018 commented Apr 18, 2026

Fixes #5332

What's the bug?

When you call eval('var x = 1') inside a function, the variable x was
sticking around in the next call to that same function — even though it shouldn't.

function f(s) { return eval(s); }
f("eval('var x = 1;'); typeof x"); 
f("typeof x");

fix: deep clone scope in FunctionEnvironment to prevent variable leak…
a01b1fc 
…age across eval invocations (boa-dev#5332)

When eval('var x = ...') is called inside a function, Boa mutates the compile-time Scope (shared via Rc) to register the new binding. Because the same Scope was reused across invocations, the binding leaked into subsequent calls.

Fix: add Scope::deep_clone() that creates a fresh copy of the bindings Vec, and use it in FunctionEnvironment::new() so each invocation gets its own isolated scope.

Closes boa-dev#5332
@yush-1018 yush-1018 requested a review from a team as a code owner April 18, 2026 13:20
@github-actions github-actions Bot added the Waiting On Review Waiting on reviews from the maintainers label Apr 18, 2026
@github-actions github-actions Bot added this to the v1.0.0 milestone Apr 18, 2026
@github-actions github-actions Bot added the C-AST Issue surrounding the abstract syntax tree label Apr 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 18, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 53,125 53,125 0
Passed 51,051 51,072 +21
Ignored 1,482 1,482 0
Failed 592 571 -21
Panics 0 1 +1
Conformance 96.10% 96.14% +0.04%
Fixed tests (21): 
test/staging/sm/Function/function-name-assignment.js (previously Failed)
test/staging/sm/strict/15.4.4.8.js (previously Failed)
test/staging/sm/strict/15.5.5.1.js (previously Failed)
test/staging/sm/strict/8.12.5.js (previously Failed)
test/staging/sm/strict/15.4.4.13.js (previously Failed)
test/staging/sm/strict/8.12.7.js (previously Failed)
test/staging/sm/strict/15.4.4.9.js (previously Failed)
test/staging/sm/strict/15.10.7.js (previously Failed)
test/staging/sm/strict/eval-variable-environment.js (previously Failed)
test/staging/sm/strict/15.4.4.12.js (previously Failed)
test/staging/sm/async-functions/await-in-arrow-parameters.js (previously Failed)
test/staging/sm/async-functions/await-in-parameters-of-async-func.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-simple.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-yield.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-function.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-function-nested.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-class.js (previously Failed)
test/staging/sm/expressions/short-circuit-compound-assignment.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-call.js (previously Failed)
test/staging/sm/PrivateName/lexical-presence.js (previously Failed)
test/staging/sm/extensions/for-loop-with-lexical-declaration-and-nested-function-statement.js (previously Failed)
New panics (1): 
test/staging/sm/strict/strict-function-statements.js (previously Failed)

Tested main commit: 3ce87f0fa03c5c037fb667f7f21a4996abbbc714
Tested PR commit: 8ed8fe7d875a8add8737cb6b6d6361f494b149ee
Compare commits: 3ce87f0...8ed8fe7

@yush-1018 yush-1018 marked this pull request as draft April 20, 2026 05:07
@codecov
Copy link
Copy Markdown

codecov Bot commented May 12, 2026

Codecov Report

❌ Patch coverage is 33.33333% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.87%. Comparing base (6ddc2b4) to head (8ed8fe7).
⚠️ Report is 965 commits behind head on main.

Files with missing lines Patch % Lines
core/macros/src/module.rs 0.00% 6 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5339       +/-   ##
===========================================
+ Coverage   47.24%   59.87%   +12.63%     
===========================================
  Files         476      566       +90     
  Lines       46892    62932    +16040     
===========================================
+ Hits        22154    37682    +15528     
- Misses      24738    25250      +512

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@yush-1018
Copy link
Copy Markdown
Contributor Author

yush-1018 commented May 12, 2026

@jedel1043,

please review this PR.

@yush-1018 yush-1018 marked this pull request as ready for review May 12, 2026 06:57
hansl
hansl requested changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hansl hansl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you investigate the panic in test262?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hansl hansl hansl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

C-AST Issue surrounding the abstract syntax tree Waiting On Review Waiting on reviews from the maintainers

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

Variable leakage across eval invocations

2 participants

@yush-1018 @hansl