Bug 205669

Summary: Reflect.construct() with a the optional newTarget parameter does not work with DOM constructors
Product: WebKit Reporter: Sam Weinig <sam>
Component: BindingsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ashvayka, cdumez, saam, ysuzuki
Priority: P2 Keywords: WPTImpact
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=174313
Attachments:
Description Flags
sub.html
none
main.html
none
main.html
none
main.html none

Sam Weinig
Reported 2019-12-31 18:28:01 PST
Created attachment 386567 [details] sub.html Reflect.construct() with a the optional newTarget parameter does not work with DOM constructors, such as DOMParser. For example, given a script with two access to two global objects, mainWindow and childWindow: Whereas this works: var value1 = Reflect.construct(window.String, [], childWindow.String); value.constructor == childWindow.String; this does not: var value1 = Reflect.construct(window.DOMParser, [], childWindow.DOMParser); value.constructor == childWindow.DOMParser;
Attachments
sub.html (75 bytes, text/html)
2019-12-31 18:28 PST, Sam Weinig 		no flags
Details
main.html (993 bytes, text/html)
2019-12-31 18:31 PST, Sam Weinig 		no flags
Details
main.html (1.03 KB, text/html)
2019-12-31 18:32 PST, Sam Weinig 		no flags
Details
main.html (1.22 KB, text/html)
2019-12-31 19:57 PST, Sam Weinig 		no flags
Details
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Sam Weinig
Comment 1 2019-12-31 18:31:37 PST Comment hidden (obsolete)
Sam Weinig
Comment 2 2019-12-31 18:32:19 PST Comment hidden (obsolete)
Sam Weinig
Comment 3 2019-12-31 18:33:28 PST
main.html demonstrates the issue.
Sam Weinig
Comment 4 2019-12-31 18:50:28 PST
For reference, DOMParser's binding constructor is generated as JSDOMParser.cpp and some relevant lines are: using JSDOMParserConstructor = JSDOMConstructor<JSDOMParser>; template<> EncodedJSValue JSC_HOST_CALL JSDOMParserConstructor::construct(JSGlobalObject* lexicalGlobalObject, CallFrame* callFrame) { VM& vm = lexicalGlobalObject->vm(); auto throwScope = DECLARE_THROW_SCOPE(vm); UNUSED_PARAM(throwScope); auto* castedThis = jsCast<JSDOMParserConstructor*>(callFrame->jsCallee()); ASSERT(castedThis); auto* context = castedThis->scriptExecutionContext(); if (UNLIKELY(!context)) return throwConstructorScriptExecutionContextUnavailableError(*lexicalGlobalObject, throwScope, "DOMParser"); ASSERT(context->isDocument()); auto& document = downcast<Document>(*context); auto object = DOMParser::create(document); return JSValue::encode(toJSNewlyCreated<IDLInterface<DOMParser>>(*lexicalGlobalObject, *castedThis->globalObject(), WTFMove(object))); }
Sam Weinig
Comment 5 2019-12-31 19:44:37 PST
My guess, though it has been a while since I did too much in here, is that we should probably be using callFrame->newTarget() in some fashion, probably in place of callFrame->jsCallee() in most places. We'll need to do a bit more digging in the WebIDL spec to figure out which document the DOMParser should be created with, though I suspect it is the document of newTarget. We can test what other browsers do by looking at document.url of a document produced by the constructed DOMParser, as it will match it's owner's url.
Sam Weinig
Comment 6 2019-12-31 19:57:17 PST
Created attachment 386571 [details] main.html Updated main.html
Sam Weinig
Comment 7 2019-12-31 20:21:42 PST
Looks like Firefox uses the document of the main window. I don't have Chrome installed at the moment to check what it does.
Sam Weinig
Comment 8 2020-01-04 16:30:26 PST
This causes failures in http://wpt.live/WebIDL/ecmascript-binding/constructors.html
Alexey Shvayka
Comment 9 2020-03-13 09:57:53 PDT
(In reply to Sam Weinig from comment #8) > This causes failures in > http://wpt.live/WebIDL/ecmascript-binding/constructors.html Most of the test cases (except for bound/proxied NewTarget values) are now fixed by https://bugs.webkit.org/show_bug.cgi?id=174313.
Alexey Shvayka
Comment 10 2020-04-17 13:42:21 PDT
(In reply to Alexey Shvayka from comment #9) > Most of the test cases (except for bound/proxied NewTarget values) are now > fixed by https://bugs.webkit.org/show_bug.cgi?id=174313. Please follow https://webkit.org/b/202599: it fixes remaining failures. *** This bug has been marked as a duplicate of bug 202599 ***
Note You need to log in before you can comment on or make changes to this bug.