NEW 27088
WebKit constructors use wrong global object/prototype chain 
https://bugs.webkit.org/show_bug.cgi?id=27088
Summary WebKit constructors use wrong global object/prototype chain
Andrew Wilson
Reported 2009-07-08 12:39:40 PDT
If a child frame accesses a constructor from the parent window (for example: parent.window.Image()) various incorrect behavior results: 1) Typically the wrong constructor is accessed (instead of grabbing the constructor and prototype chain from the specified window, the constructor/prototype is obtained from the lexicalGlobalObject). 2) In some cases, that constructor is then cached back in the parent window, leaving the parent window polluted with prototypes/constructors from the child. #1 is a similar issue to https://bugs.webkit.org/show_bug.cgi?id=21138, although the reduction in that test doesn't work in Safari due to security constraints on data URLs. I'll attach a reduction shortly.
Attachments
reduction that tests all global constructors and exposes this bug (6.28 KB, text/plain)
2009-07-08 18:17 PDT, Andrew Wilson 		no flags
Details
patch (8.68 KB, patch)
2009-07-10 13:38 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
Add a missing layout test result to improve the quality of life of the Mac buildbots. (3.47 KB, patch)
2009-07-13 17:45 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
First attempt, does not compile, not for review, will be broken into smaller pieces (37.39 KB, patch)
2009-07-13 17:48 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
Now compiles, just needs testing (21.97 KB, patch)
2009-07-21 17:44 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Andrew Wilson
Comment 1 2009-07-08 18:17:05 PDT
Created attachment 32496 [details] reduction that tests all global constructors and exposes this bug Since the constructor code is looking at the lexical scope, it can be tricky to reproduce this bug (for example, accessing parent.window.Image will show the bug, but calling a function in the parent frame that accesses parent.window.Image won't.
Eric Seidel (no email)
Comment 2 2009-07-10 13:38:14 PDT
Created attachment 32574 [details] patch
Eric Seidel (no email)
Comment 3 2009-07-10 13:39:47 PDT
Comment on attachment 32574 [details] patch Sorry, wrong bug.
Adam Barth
Comment 4 2009-07-10 15:37:48 PDT
Here a test case: http://webblaze.org/abarth/tests/protoconfused/test1.html It covers the first level of objects off the global object.
Adam Barth
Comment 5 2009-07-10 16:08:35 PDT
Here's another test. This one crawls around the object graph for a bit looking for stuff: http://webblaze.org/abarth/tests/protoconfused/test2.html I don't certify that the results (PASS / FAIL) are 100% reliable, but its a start.
Eric Seidel (no email)
Comment 6 2009-07-13 17:45:30 PDT
Created attachment 32689 [details] Add a missing layout test result to improve the quality of life of the Mac buildbots. * platform/mac/fast/text/international/khmer-selection-expected.txt: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@45838 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- 2 files changed, 52 insertions(+), 0 deletions(-)
Eric Seidel (no email)
Comment 7 2009-07-13 17:48:23 PDT
Created attachment 32690 [details] First attempt, does not compile, not for review, will be broken into smaller pieces --- 26 files changed, 105 insertions(+), 97 deletions(-)
Eric Seidel (no email)
Comment 8 2009-07-21 17:44:57 PDT
Created attachment 33233 [details] Now compiles, just needs testing --- 14 files changed, 74 insertions(+), 50 deletions(-)
Eric Seidel (no email)
Comment 9 2009-07-22 00:37:52 PDT
Comment on attachment 33233 [details] Now compiles, just needs testing This has a few possible functional changes which could be tested (and/or separated out from this patch): window.history.constructor window.location.constructor document.location.__proto__ document.forms.name.__proto__ (new RGBColor).__proto__ instanceof JSSharedWorkerConstructor all .constructor accesses could be fixed (although most won't be due to toJS not yet passing enough information) all autogenerated constructors could have changed instanceof's
Eric Seidel (no email)
Comment 10 2009-07-23 17:58:40 PDT
Comment on attachment 33233 [details] Now compiles, just needs testing Using this as a meta bug for now. Patches will be on sub-bugs.
Alexey Proskuryakov
Comment 11 2022-08-20 10:01:41 PDT
This is very old and probably not applicable any more, but the attached test doesn't work now (even with fixed subresource paths), and I don't have sufficient bindings expertise to verify.
Note You need to log in before you can comment on or make changes to this bug.