Fix bug found by felix.meschberger@day.com:

given the following object :

----------------------------------------------
function SomeObject() {}
SomeObject.prototype.exec = function() {
  var local = this.someField;
}
----------------------------------------------

i create an 'instance', set a field and call the exec method :

----------------------------------------------
var someField = "global field value";
var anInstance = new SomeObject();
anInstance.someField = "instance field value";
anInstance.exec();
----------------------------------------------

then the local variable 'local' in the exec() method is assigned the value
of the global 'someField' variable instead of the instance field value.

the problem seems to be in the ScriptRuntime.callOrNewSpecial() method,
which is called, because the parser treats the name 'exec' specially. in
this method the exec() method gets called with

   return call(cx, fun, thisArg, args, scope);

where the 'thisArg' parameter really is the global this value instead of
the dynamic this value, which is in the jsThis variable and which would be
the one needed...

is it legitimate to replace the above call in callOrNewSpecial() with the
following line :

   return call(cx, fun, jsThis, args, scope);

this seems to only happen for methods named 'exec', which are identified as
special in the NodeTransformer.isSpecialCallName() method.

any help is appreciated. thank you very much for your time.

kind regards,
felix

js/rhino/src/org/mozilla/javascript/ScriptRuntime.java

@@ -1228,7 +1228,7 @@ public class ScriptRuntime {
                 return call(cx, fun, jsThis, args, scope);
 
         if (isCall)
-            return call(cx, fun, thisArg, args, scope);
+            return call(cx, fun, jsThis, args, scope);
         return newObject(cx, fun, args, scope);
     }