RESOLVED FIXED 25079
(needs test?) JS Arrays et al receive the wrong prototype 
https://bugs.webkit.org/show_bug.cgi?id=25079
Summary (needs test?) JS Arrays et al receive the wrong prototype
John-David Dalton
Reported 2009-04-07 10:36:37 PDT
First create sandboxed natives by creating an iframe and referencing its Array, String, Date or other natives. When calling a method on the sandboxed native it returns a document native instead of a sandboxed one. Example: window.Sandbox.Array.prototype.awesome = function() { }; var foo = new window.Sandbox.Array('a', 'b', 'c'); alert(typeof foo.awesome); // -> function alert(typeof Array.prototype.awesome) -> undefined (correctly reports undefined) alert(typeof foo.slice(0).awesome) -> undefined (should be `function`) Tested and fails on Safari 2.0 - 3.4 beta. Chrome, IE, and Opera work correctly.
Attachments
Reduced test case (172 bytes, text/html)
2010-07-30 07:35 PDT, Adam Barth 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Dan Trott
Comment 1 2010-03-26 10:43:06 PDT
This still appears to be an issue in Safari 4.0.5 (tested on Windows). This is causing a lot of issues in our app which interacts with a child document which has been extended with the Prototype framework.
Adam Barth
Comment 2 2010-03-26 19:02:35 PDT
Can you attach a version of your test case in HTML? I don't understand what Sandbox is. Also, have you tried a nightly build from http://nightly.webkit.org/?
Dan Trott
Comment 3 2010-03-27 04:12:31 PDT
It seems that the issue I've been experiencing is not quite the same as the one reported by John-David. I made a test that demonstrates my issue and tried it in the latest nightly, it's fixed. I ran John-David's test in the latest nightly and the test still fails.
John-David Dalton
Comment 4 2010-07-30 06:36:51 PDT
I have updated the test case. This is still an issue in Safari 5. With JavaScript frameworks like FuseJS using this technique it would be beneficial if Safari would fix this bug so it can perform as well as other browsers.
Adam Barth
Comment 5 2010-07-30 07:32:29 PDT
Ok. I understand now. Your test case is about 10x more complex than it needs to be. The issue is that object created via constructors are getting their prototypes from the current page whereas they should be getting their prototypes from the page that contained the constructors originally. In the test case, the page that contains the constructors is detached, but it's unclear whether that's essentially to the issue.
Adam Barth
Comment 6 2010-07-30 07:35:13 PDT
Created attachment 63058 [details] Reduced test case Here's a reduced test case.
Adam Barth
Comment 7 2010-07-30 07:35:37 PDT
Probably something internal to JSC.
John-David Dalton
Comment 8 2010-07-30 07:42:08 PDT
I noticed you changed the title to `JS Arrays` receive the wrong prototype. This is for any native object instance. The same thing can be seen for: Sandbox.String.prototype.blah = 3; var str = new Sandbox.String('x'); str.blah; // should be 3
Oliver Hunt
Comment 9 2010-07-30 10:08:32 PDT
What do sandboxes have to do with this? The testcase is simply using an iframe, i don't see any sign of the sandbox attribute?
John-David Dalton
Comment 10 2010-07-30 10:14:23 PDT
@Oliver Hunt: "Sandboxed Natives" is the term I use for natives imported from an iframe, ActiveX object, or modified via the non-standard __proto__ property. The `Sandbox` object in the code snippets refers to the test case I have linked to.
Adam Barth
Comment 11 2010-07-30 10:17:42 PDT
> What do sandboxes have to do with this? Noting. > The testcase is simply using an iframe, i don't see any sign of the sandbox attribute? That's correct.
Adam Barth
Comment 12 2010-07-30 10:17:59 PDT
(In reply to comment #11) > > What do sandboxes have to do with this? > > Noting. Err. "Nothing."
Alexey Proskuryakov
Comment 13 2010-08-02 03:24:00 PDT
How is this related to bug 27088?
Adam Barth
Comment 14 2010-08-02 11:13:15 PDT
> How is this related to bug 27088? The difference in behavior is similar (prototypes get wired up to the wrong objects), but the fix will be different. Bug 27088 is about JavaScript objects constructed in WebCore. This bug is about JavaScript objects constructed in JavaScriptCore (e.g., via the Array and String constructors).
John-David Dalton
Comment 15 2011-03-18 10:39:22 PDT
Just a heads up. The discussion of removing __proto__ over on the Mozilla bug tracker is related to this ticket. https://bugzilla.mozilla.org/show_bug.cgi?id=642500 Because of this bug part of the code I maintain will fall to __proto__. If this bug was fixed that would remove the strain and cause me to sleep better at night. This seems to be a Safari only issue.
John-David Dalton
Comment 16 2011-03-20 21:06:51 PDT
Just confirmed via the `Reduced test case` that this bug still exists in WebKit Nightly r80840 built on March 11, 2011. Can the status be changed to `confirmed`?
Sam Weinig
Comment 17 2011-04-21 19:58:40 PDT
This is now fixed.
Alexey Proskuryakov
Comment 18 2011-04-21 20:28:49 PDT
Should we land Adam's test case now?
Gavin Barraclough
Comment 19 2011-06-16 20:31:39 PDT
Test case landed in r89111.
Note You need to log in before you can comment on or make changes to this bug.