Bug 48953

Summary:

REGRESSION: Can't shadow/overwrite window.constructor (causes TypeError exception)

Product:

WebKit

Reporter:

Matt Cooper <matt11ag-webkitbugs>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Major

CC:

ap, ggaren, msaboff, oliver, sam

Priority:

Keywords:

InRadar, Regression

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.6

Attachments:

Description	Flags
This attachment is simply an html test page that houses the code that throws the unexpected TypeError in WebKit nightly only	none
Patch to allow setting window.constructor.	none
Updated patch with whitespace fixes.	sam: review+

Description Matt Cooper 2010-11-03 14:13:28 PDT

In the latest WebKit nightly, I am seeing an unexpected error message:

TypeError: Result of expression 'TestSample' [[object DOMWindowConstructor]] is not a constructor.

for code that works just fine in Apple Safari 5.0.2, Google Chrome 7.0.517.41, and Firefox 3.6.11.

----

var constructor = new Function("id", "desc", "this.id = id; this.description = desc;");
constructor.prototype.setDescription = function(desc){this.description = desc};
constructor.prototype.getDescription = function(){return this.description};

// Changing the order of the following 2 lines does not make a difference:
window["TestSample"] = constructor;
constructor.getInstanceFromFactory = function (id, desc){return new TestSample(id, desc);};

var sample = TestSample.getInstanceFromFactory("hello","success if you see this");
alert(sample.getDescription());

----

Expected result is that you see an alert with the text "success if you see this" but in WebKit nightly, the above JavaScript TypeError is logged in the JavaScript console instead.

Comment 1 Matt Cooper 2010-11-03 14:14:30 PDT

Created attachment 72868 [details]
This attachment is simply an html test page that houses the code that throws the unexpected TypeError in WebKit nightly only

Comment 2 Matt Cooper 2010-12-20 13:29:27 PST

This issue is still reproducing over a month later in r74228 (today's latest nightly).

I also see the problem manifest on pages like this one:
http://jdevadf.oracle.com/adf-richclient-demo/faces/index.jspx

Comment 3 Alexey Proskuryakov 2010-12-20 13:32:37 PST

<rdar://problem/8790587>

Comment 4 Geoffrey Garen 2010-12-20 14:46:27 PST

The bug here is that window.constructor (a property that exists on all objects by default) can't be shadowed / overwritten.

Comment 5 Geoffrey Garen 2010-12-20 14:48:08 PST

I believe this may have been caused by Michael's recent change to the DOMWindow constructor object.

Comment 6 Michael Saboff 2010-12-20 16:45:32 PST

It appears that this was caused with change set <http://trac.webkit.org/changeset/69553>, the change to https://bugs.webkit.org/show_bug.cgi?id=47422  "DOMWindow constructor directly callable".

Comment 7 Michael Saboff 2010-12-22 16:29:15 PST

Created attachment 77274 [details]
Patch to allow setting window.constructor.

Added a new extended attribute to the JavaScript code generator called ReplaceableConstructor that will generate a setJS<class>Constructor() method.  Added this attribute to the DOMWindow interface.
Updated a test and added a new regression test.

Comment 8 Michael Saboff 2010-12-22 16:45:02 PST

Created attachment 77277 [details]
Updated patch with whitespace fixes.

Comment 9 Michael Saboff 2010-12-23 09:44:36 PST

Committed revision http://trac.webkit.org/changeset/74537

Comment 10 Matt Cooper 2011-03-22 16:22:22 PDT

Note that while this bug was fixed in WebKit, the issue still manifests in the mobile version of Safari on iOS 4.3.