Closed Bug 1278599 Opened 8 years ago Closed 8 years ago

Function[Symbol.hasInstance] seems to have incorrect behavior when called with non-object "this"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: bzbarsky, Unassigned)

References

Details

Attachments

(1 file)

hasinstance-this.diff
3.63 KB, patch
evilpie
: review+
Details | Diff | Splinter Review 
This is new code in bug 1054906.

Spec says to just call OrdinaryHasInstance(F, V), where F is the "this" value and "V" is the first argument.  Then OrdinaryHasInstance step 1 says:

  If IsCallable(C) is false, return false.

So something like this:

  Function[Symbol.hasInstance].call(5, 6)

should return false per spec (and does in Chrome and Safari).  But in our implementation, we have:

  js::fun_symbolHasInstance(JSContext* cx, unsigned argc, Value* vp)
...
    /* Step 1. */
    HandleValue func = args.thisv();
    if (!func.isObject()) {
        ReportIncompatible(cx, args);
        return false;
    }

which throws an exception.  That's not what the spec's step 1 says, unless I'm missing something.
Flags: needinfo?(winter2718)
Flags: needinfo?(winter2718)

        Attachment #8760840 -
        Flags: review?(evilpies)

    
    

    
  
(In reply to Boris Zbarsky [:bz] from comment #0)
> This is new code in bug 1054906.
> 
> Spec says to just call OrdinaryHasInstance(F, V), where F is the "this"
> value and "V" is the first argument.  Then OrdinaryHasInstance step 1 says:
> 
>   If IsCallable(C) is false, return false.
> 
> So something like this:
> 
>   Function[Symbol.hasInstance].call(5, 6)
> 
> should return false per spec (and does in Chrome and Safari).  But in our
> implementation, we have:
> 
>   js::fun_symbolHasInstance(JSContext* cx, unsigned argc, Value* vp)
> ...
>     /* Step 1. */
>     HandleValue func = args.thisv();
>     if (!func.isObject()) {
>         ReportIncompatible(cx, args);
>         return false;
>     }
> 
> which throws an exception.  That's not what the spec's step 1 says, unless
> I'm missing something.

You're right, I'd conflated the first step of "OrdinaryHasInstance" with the first step of "InstanceofOperator" a patch with the fix and some new test cases is attached.

    
    

    
  
Comment on attachment 8760840 [details] [diff] [review]
hasinstance-this.diff

Review of attachment 8760840 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +682,5 @@
>      }
>      /* Step 1. */
>      HandleValue func = args.thisv();
> +
> +    // Non-callables will always return false from OrdinaryHasInstance.

I would add "Primitives are non-callable and will ..

        Attachment #8760840 -
        Flags: review?(evilpies) → review+

    
    

    
  
Pushed by mphillips@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8593fe84d84e
Function[Symbol.hasInstance] should return false when called with a non-callable 'this'; r=evilpie

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8593fe84d84e
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox50:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: