25079 2009-04-07 10:36:37 -0700 (needs test?) JS Arrays et al receive the wrong prototype 2011-06-16 20:31:39 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED http://dl.dropbox.com/u/513327/JavaScript/bugs/sandboxed-natives.html P2 Normal --- 1 john.david.dalton webkit-unassigned abarth ap barraclough joe kangax oliver sam thedartt oldest_to_newest 116774 0 john.david.dalton 2009-04-07 10:36:37 -0700 First create sandboxed natives by creating an iframe and referencing its Array, String, Date or other natives. When calling a method on the sandboxed native it returns a document native instead of a sandboxed one. Example: window.Sandbox.Array.prototype.awesome = function() { }; var foo = new window.Sandbox.Array('a', 'b', 'c'); alert(typeof foo.awesome); // -> function alert(typeof Array.prototype.awesome) -> undefined (correctly reports undefined) alert(typeof foo.slice(0).awesome) -> undefined (should be `function`) Tested and fails on Safari 2.0 - 3.4 beta. Chrome, IE, and Opera work correctly. 204668 1 thedartt 2010-03-26 10:43:06 -0700 This still appears to be an issue in Safari 4.0.5 (tested on Windows). This is causing a lot of issues in our app which interacts with a child document which has been extended with the Prototype framework. 204912 2 abarth 2010-03-26 19:02:35 -0700 Can you attach a version of your test case in HTML? I don't understand what Sandbox is. Also, have you tried a nightly build from http://nightly.webkit.org/? 204974 3 thedartt 2010-03-27 04:12:31 -0700 It seems that the issue I've been experiencing is not quite the same as the one reported by John-David. I made a test that demonstrates my issue and tried it in the latest nightly, it's fixed. I ran John-David's test in the latest nightly and the test still fails. 258182 4 john.david.dalton 2010-07-30 06:36:51 -0700 I have updated the test case. This is still an issue in Safari 5. With JavaScript frameworks like FuseJS using this technique it would be beneficial if Safari would fix this bug so it can perform as well as other browsers. 258191 5 abarth 2010-07-30 07:32:29 -0700 Ok. I understand now. Your test case is about 10x more complex than it needs to be. The issue is that object created via constructors are getting their prototypes from the current page whereas they should be getting their prototypes from the page that contained the constructors originally. In the test case, the page that contains the constructors is detached, but it's unclear whether that's essentially to the issue. 258192 6 63058 abarth 2010-07-30 07:35:13 -0700 Created attachment 63058 Reduced test case Here's a reduced test case. 258193 7 abarth 2010-07-30 07:35:37 -0700 Probably something internal to JSC. 258194 8 john.david.dalton 2010-07-30 07:42:08 -0700 I noticed you changed the title to `JS Arrays` receive the wrong prototype. This is for any native object instance. The same thing can be seen for: Sandbox.String.prototype.blah = 3; var str = new Sandbox.String('x'); str.blah; // should be 3 258250 9 oliver 2010-07-30 10:08:32 -0700 What do sandboxes have to do with this? The testcase is simply using an iframe, i don't see any sign of the sandbox attribute? 258258 10 john.david.dalton 2010-07-30 10:14:23 -0700 @Oliver Hunt: "Sandboxed Natives" is the term I use for natives imported from an iframe, ActiveX object, or modified via the non-standard __proto__ property. The `Sandbox` object in the code snippets refers to the test case I have linked to. 258263 11 abarth 2010-07-30 10:17:42 -0700 > What do sandboxes have to do with this? Noting. > The testcase is simply using an iframe, i don't see any sign of the sandbox attribute? That's correct. 258264 12 abarth 2010-07-30 10:17:59 -0700 (In reply to comment #11) > > What do sandboxes have to do with this? > > Noting. Err. "Nothing." 258766 13 ap 2010-08-02 03:24:00 -0700 How is this related to bug 27088? 258992 14 abarth 2010-08-02 11:13:15 -0700 > How is this related to bug 27088? The difference in behavior is similar (prototypes get wired up to the wrong objects), but the fix will be different. Bug 27088 is about JavaScript objects constructed in WebCore. This bug is about JavaScript objects constructed in JavaScriptCore (e.g., via the Array and String constructors). 369715 15 john.david.dalton 2011-03-18 10:39:22 -0700 Just a heads up. The discussion of removing __proto__ over on the Mozilla bug tracker is related to this ticket. https://bugzilla.mozilla.org/show_bug.cgi?id=642500 Because of this bug part of the code I maintain will fall to __proto__. If this bug was fixed that would remove the strain and cause me to sleep better at night. This seems to be a Safari only issue. 370275 16 john.david.dalton 2011-03-20 21:06:51 -0700 Just confirmed via the `Reduced test case` that this bug still exists in WebKit Nightly r80840 built on March 11, 2011. Can the status be changed to `confirmed`? 390562 17 sam 2011-04-21 19:58:40 -0700 This is now fixed. 390577 18 ap 2011-04-21 20:28:49 -0700 Should we land Adam's test case now? 422391 19 barraclough 2011-06-16 20:31:39 -0700 Test case landed in r89111. 63058 2010-07-30 07:35:13 -0700 2010-07-30 07:35:13 -0700 Reduced test case case.html text/html 172 abarth PGlmcmFtZT48L2lmcmFtZT4KPHNjcmlwdD4KdmFyIGFycmF5Q29uc3RydWN0b3IgPSBmcmFtZXNb MF0uQXJyYXk7CmFycmF5Q29uc3RydWN0b3IucHJvdG90eXBlLmZvbyA9ICJiYXIiOwp2YXIgeCA9 IG5ldyBhcnJheUNvbnN0cnVjdG9yKCk7CmRvY3VtZW50LndyaXRlKHguZm9vKTsKPC9zY3JpcHQ+ Cg==