Bug 25205

Summary:

XMLHttpRequest instance is not an instanceof XMLHttpRequest

Product:

WebKit

Reporter:

Michael A. Puls II <shadow2531>

Component:

DOM

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham, darin, eric, sam, yuzo

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Fix for "instanceof XMLHttpRequest"	none
This also fixes for XSTLProcessor, Audio, etc.	darin: review-
DOMConstructorObject approach.	darin: review-
Removed virtual destructor declaration of DOMConstructorObject.	darin: review+

Michael A. Puls II

Reported 2009-04-15 01:03:13 PDT

WebKit r42344 The following alerts true in FF, Opera and IE8, but alerts false in Safari. javascript:alert((new XMLHttpRequest()) instanceof XMLHttpRequest)%3B This causes (ProgressEvent_instance.target instanceof XMLHttpRequest) to evaluate to false in the load listener function for XHR.

Attachments
Fix for "instanceof XMLHttpRequest" (3.80 KB, patch) 2009-07-07 02:31 PDT, Yuzo Fujishima	no flags	Details Formatted Diff Diff
This also fixes for XSTLProcessor, Audio, etc. (15.51 KB, patch) 2009-07-08 00:29 PDT, Yuzo Fujishima	darin: review-	Details Formatted Diff Diff
DOMConstructorObject approach. (20.05 KB, patch) 2009-07-08 19:29 PDT, Yuzo Fujishima	darin: review-	Details Formatted Diff Diff
Removed virtual destructor declaration of DOMConstructorObject. (19.98 KB, patch) 2009-07-09 18:33 PDT, Yuzo Fujishima	darin: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2009-04-15 02:07:59 PDT

Same problem with e.g. XSLTProcessor.

Sam Weinig

Comment 2 2009-04-15 12:13:22 PDT

Interestingly, javascript:alert((new XMLHttpRequest).__proto__ == XMLHttpRequest.prototype) returns true.

Sam Weinig

Comment 3 2009-04-15 12:13:33 PDT

Is this a regression?

Alexey Proskuryakov

Comment 4 2009-04-15 12:21:03 PDT

(In reply to comment #3) > Is this a regression? Not from Safari 3.2.1.

Yuzo Fujishima

Comment 5 2009-07-07 02:31:57 PDT

Created attachment 32370 [details] Fix for "instanceof XMLHttpRequest" Hi, Can you review the attached patch? It attempts to fix this bug by setting JSC::ImplementsHasInstance flag for JSXMLHttpRequestConstructor. Yuzo

Yuzo Fujishima

Comment 6 2009-07-07 03:12:29 PDT

If the proposed patch is the right fix, the same should be applicable to: WebCore/bindings/js/JSAudioConstructor.cpp WebCore/bindings/js/JSImageConstructor.cpp WebCore/bindings/js/JSMessageChannelConstructor.cpp WebCore/bindings/js/JSOptionConstructor.cpp WebCore/bindings/js/JSWebKitCSSMatrixConstructor.cpp WebCore/bindings/js/JSWebKitPointConstructor.cpp WebCore/bindings/js/JSWorkerConstructor.cpp # WebCore/bindings/js/JSXMLHttpRequestConstructor.cpp WebCore/bindings/js/JSXSLTProcessorConstructor.cpp In that case, we should perhaps add: static PassRefPtr<Structure> createStructureForConstructor(JSValue prototype); to JavaScriptCore/runtime/JSObject.h and call the method from the above classes. Yuzo

Yuzo Fujishima

Comment 7 2009-07-08 00:29:08 PDT

Created attachment 32434 [details] This also fixes for XSTLProcessor, Audio, etc. Can anyone review this, please? I've updated the patch to fix for XSLTProcessor, Audio, etc. Yuzo

Darin Adler

Comment 8 2009-07-08 09:54:11 PDT

Comment on attachment 32434 [details] This also fixes for XSTLProcessor, Audio, etc. This seems OK, but not great. The design here is supposed to be that derived classes override createStructure if the base class version doesn't work right. Leaving behind a createStructure function that does the wrong thing and relying on the callers to call the correct one seems unnecessarily fragile to me. To share code, we could create a new base class, derived from DOMObject, and have all the constructor classes derive from this, and it would override createStructure to work properly. Would you be willing to try that approach? review- for now, but I'm open to landing this version if you don't like my suggestion and can convince me.

Yuzo Fujishima

Comment 9 2009-07-08 19:29:54 PDT

Created attachment 32499 [details] DOMConstructorObject approach. Thank you for your review. I agree. I've revised the patch such that all the classes in question derive from DOMConstructorObject, which in turn derives from DOMObject. Can you take another look? Yuzo

Darin Adler

Comment 10 2009-07-09 08:18:21 PDT

Comment on attachment 32499 [details] DOMConstructorObject approach. > +#ifndef NDEBUG > + virtual ~DOMConstructorObject(); > +#endif What's the idea here? I don't see any definition of this destructor, so it seems like the change won't link. Have you tested yet? Otherwise, everything looks great!

Yuzo Fujishima

Comment 11 2009-07-09 18:33:38 PDT

Created attachment 32547 [details] Removed virtual destructor declaration of DOMConstructorObject. Hi, Thank you for reviewing this. I've removed the virtual destructor declaration of DOMConstructorObject and confirmed that the layout test succeeds for both Debug and Release. Yuzo

Brent Fulgham

Comment 12 2009-07-15 12:55:30 PDT

Assign for landing.

Brent Fulgham

Comment 13 2009-07-15 13:09:14 PDT

Landed in http://trac.webkit.org/changeset/45938.

Eric Seidel (no email)

Comment 14 2009-07-21 15:28:55 PDT

This doesn't fix all constructors though. This diff is still missing from the change: @@ -2027,10 +2042,10 @@ sub constructorFor my $canConstruct = shift; my $implContent = << "EOF"; -class ${className}Constructor : public DOMObject { +class ${className}Constructor : public DOMConstructorObject { public: ${className}Constructor(ExecState* exec, JSDOMGlobalObject* globalObject) - : DOMObject(${className}Constructor::createStructure(globalObject->objectPrototype())) + : DOMConstructorObject(${className}Constructor::createStructure(globalObject->objectPrototype()), globalObject) { putDirect(exec->propertyNames().prototype, ${protoClassName}::self(exec, globalObject), None); } I guess I'll find a way to write a test and file a new bug for that change.

Eric Seidel (no email)

Comment 15 2009-07-21 15:29:55 PDT

Hum... I'm surprised Darin let you get away w/o a test case!

Yuzo Fujishima

Comment 16 2009-07-21 17:59:14 PDT

My patch contains: LayoutTests/fast/js/instanceof-operator.html b/LayoutTests/fast/js/instanceof-operator.html Do you mean a different kind of test?

Eric Seidel (no email)

Comment 17 2009-07-21 18:00:50 PDT

Sorry. I just missed them in the diff http://trac.webkit.org/changeset/45938. I never remember to look for the special green squares.

Note You need to log in before you can comment on or make changes to this bug.