Skip to content

fix: deep clone scope in FunctionEnvironment to prevent variable leak…#5339

Draft
yush-1018 wants to merge 3 commits intoboa-dev:mainfrom
yush-1018:fix/eval-variable-leakage
Draft

fix: deep clone scope in FunctionEnvironment to prevent variable leak…#5339
yush-1018 wants to merge 3 commits intoboa-dev:mainfrom
yush-1018:fix/eval-variable-leakage

Conversation

@yush-1018
Copy link
Copy Markdown
Contributor

@yush-1018 yush-1018 commented Apr 18, 2026

Fixes #5332

What's the bug?

When you call eval('var x = 1') inside a function, the variable x was
sticking around in the next call to that same function — even though it shouldn't.

function f(s) { return eval(s); }
f("eval('var x = 1;'); typeof x"); 
f("typeof x");

fix: deep clone scope in FunctionEnvironment to prevent variable leak…
a01b1fc 
…age across eval invocations (boa-dev#5332)

When eval('var x = ...') is called inside a function, Boa mutates the compile-time Scope (shared via Rc) to register the new binding. Because the same Scope was reused across invocations, the binding leaked into subsequent calls.

Fix: add Scope::deep_clone() that creates a fresh copy of the bindings Vec, and use it in FunctionEnvironment::new() so each invocation gets its own isolated scope.

Closes boa-dev#5332
@yush-1018 yush-1018 requested a review from a team as a code owner April 18, 2026 13:20
@github-actions github-actions Bot added the Waiting On Review Waiting on reviews from the maintainers label Apr 18, 2026
@github-actions github-actions Bot added this to the v1.0.0 milestone Apr 18, 2026
@github-actions github-actions Bot added the C-AST Issue surrounding the abstract syntax tree label Apr 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 18, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 53,125 53,125 0
Passed 51,049 51,070 +21
Ignored 1,482 1,482 0
Failed 594 573 -21
Panics 0 1 +1
Conformance 96.09% 96.13% +0.04%
Fixed tests (21): 
test/staging/sm/Function/function-name-assignment.js (previously Failed)
test/staging/sm/strict/15.4.4.8.js (previously Failed)
test/staging/sm/strict/15.5.5.1.js (previously Failed)
test/staging/sm/strict/8.12.5.js (previously Failed)
test/staging/sm/strict/15.4.4.13.js (previously Failed)
test/staging/sm/strict/8.12.7.js (previously Failed)
test/staging/sm/strict/15.4.4.9.js (previously Failed)
test/staging/sm/strict/15.10.7.js (previously Failed)
test/staging/sm/strict/eval-variable-environment.js (previously Failed)
test/staging/sm/strict/15.4.4.12.js (previously Failed)
test/staging/sm/async-functions/await-in-arrow-parameters.js (previously Failed)
test/staging/sm/async-functions/await-in-parameters-of-async-func.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-simple.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-yield.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-function.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-function-nested.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-class.js (previously Failed)
test/staging/sm/expressions/short-circuit-compound-assignment.js (previously Failed)
test/staging/sm/expressions/destructuring-array-default-call.js (previously Failed)
test/staging/sm/PrivateName/lexical-presence.js (previously Failed)
test/staging/sm/extensions/for-loop-with-lexical-declaration-and-nested-function-statement.js (previously Failed)
New panics (1): 
test/staging/sm/strict/strict-function-statements.js (previously Failed)

Tested main commit: da570fd74bb6cd5b0fc01363451eb710b7ab5a0c
Tested PR commit: 17074a695e1902c7ad376d235fc13546c70c17a5
Compare commits: da570fd...17074a6

@yush-1018 yush-1018 marked this pull request as draft April 20, 2026 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

C-AST Issue surrounding the abstract syntax tree Waiting On Review Waiting on reviews from the maintainers

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

Variable leakage across eval invocations

1 participant

@yush-1018