Bug 25079

Summary:

(needs test?) JS Arrays et al receive the wrong prototype

Product:

WebKit

Reporter:

John-David Dalton <john.david.dalton>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, ap, barraclough, joe, kangax, oliver, sam, thedartt

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

URL:

http://dl.dropbox.com/u/513327/JavaScript/bugs/sandboxed-natives.html

Attachments:

Description	Flags
Reduced test case	none

John-David Dalton

Reported 2009-04-07 10:36:37 PDT

First create sandboxed natives by creating an iframe and referencing its Array, String, Date or other natives. When calling a method on the sandboxed native it returns a document native instead of a sandboxed one. Example: window.Sandbox.Array.prototype.awesome = function() { }; var foo = new window.Sandbox.Array('a', 'b', 'c'); alert(typeof foo.awesome); // -> function alert(typeof Array.prototype.awesome) -> undefined (correctly reports undefined) alert(typeof foo.slice(0).awesome) -> undefined (should be `function`) Tested and fails on Safari 2.0 - 3.4 beta. Chrome, IE, and Opera work correctly.

Attachments
Reduced test case (172 bytes, text/html) 2010-07-30 07:35 PDT, Adam Barth	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Dan Trott

Comment 1 2010-03-26 10:43:06 PDT

This still appears to be an issue in Safari 4.0.5 (tested on Windows). This is causing a lot of issues in our app which interacts with a child document which has been extended with the Prototype framework.

Adam Barth

Comment 2 2010-03-26 19:02:35 PDT

Can you attach a version of your test case in HTML? I don't understand what Sandbox is. Also, have you tried a nightly build from http://nightly.webkit.org/?

Dan Trott

Comment 3 2010-03-27 04:12:31 PDT

It seems that the issue I've been experiencing is not quite the same as the one reported by John-David. I made a test that demonstrates my issue and tried it in the latest nightly, it's fixed. I ran John-David's test in the latest nightly and the test still fails.

John-David Dalton

Comment 4 2010-07-30 06:36:51 PDT

I have updated the test case. This is still an issue in Safari 5. With JavaScript frameworks like FuseJS using this technique it would be beneficial if Safari would fix this bug so it can perform as well as other browsers.

Adam Barth

Comment 5 2010-07-30 07:32:29 PDT

Ok. I understand now. Your test case is about 10x more complex than it needs to be. The issue is that object created via constructors are getting their prototypes from the current page whereas they should be getting their prototypes from the page that contained the constructors originally. In the test case, the page that contains the constructors is detached, but it's unclear whether that's essentially to the issue.

Adam Barth

Comment 6 2010-07-30 07:35:13 PDT

Created attachment 63058 [details] Reduced test case Here's a reduced test case.

Adam Barth

Comment 7 2010-07-30 07:35:37 PDT

Probably something internal to JSC.

John-David Dalton

Comment 8 2010-07-30 07:42:08 PDT

I noticed you changed the title to `JS Arrays` receive the wrong prototype. This is for any native object instance. The same thing can be seen for: Sandbox.String.prototype.blah = 3; var str = new Sandbox.String('x'); str.blah; // should be 3

Oliver Hunt

Comment 9 2010-07-30 10:08:32 PDT

What do sandboxes have to do with this? The testcase is simply using an iframe, i don't see any sign of the sandbox attribute?

John-David Dalton

Comment 10 2010-07-30 10:14:23 PDT

@Oliver Hunt: "Sandboxed Natives" is the term I use for natives imported from an iframe, ActiveX object, or modified via the non-standard __proto__ property. The `Sandbox` object in the code snippets refers to the test case I have linked to.

Adam Barth

Comment 11 2010-07-30 10:17:42 PDT

> What do sandboxes have to do with this? Noting. > The testcase is simply using an iframe, i don't see any sign of the sandbox attribute? That's correct.

Adam Barth

Comment 12 2010-07-30 10:17:59 PDT

(In reply to comment #11) > > What do sandboxes have to do with this? > > Noting. Err. "Nothing."

Alexey Proskuryakov

Comment 13 2010-08-02 03:24:00 PDT

How is this related to bug 27088?

Adam Barth

Comment 14 2010-08-02 11:13:15 PDT

> How is this related to bug 27088? The difference in behavior is similar (prototypes get wired up to the wrong objects), but the fix will be different. Bug 27088 is about JavaScript objects constructed in WebCore. This bug is about JavaScript objects constructed in JavaScriptCore (e.g., via the Array and String constructors).

John-David Dalton

Comment 15 2011-03-18 10:39:22 PDT

Just a heads up. The discussion of removing __proto__ over on the Mozilla bug tracker is related to this ticket. https://bugzilla.mozilla.org/show_bug.cgi?id=642500 Because of this bug part of the code I maintain will fall to __proto__. If this bug was fixed that would remove the strain and cause me to sleep better at night. This seems to be a Safari only issue.

John-David Dalton

Comment 16 2011-03-20 21:06:51 PDT

Just confirmed via the `Reduced test case` that this bug still exists in WebKit Nightly r80840 built on March 11, 2011. Can the status be changed to `confirmed`?

Sam Weinig

Comment 17 2011-04-21 19:58:40 PDT

This is now fixed.

Alexey Proskuryakov

Comment 18 2011-04-21 20:28:49 PDT

Should we land Adam's test case now?

Gavin Barraclough

Comment 19 2011-06-16 20:31:39 PDT

Test case landed in r89111.

Note You need to log in before you can comment on or make changes to this bug.