Closed Bug 709529 Opened 13 years ago Closed 11 years ago

Cross frame "new" on primordial constructor broken

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
11 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: erights, Unassigned)

References

Details

Originally noticed by Ihab. Identical symptoms on Nightly 11.0a1 (2011-12-10) (transcript below) and I think 8.0.1, though the latter isn't as tested.

> var f = document.createElement('iframe');
> document.body.appendChild(f);
[object HTMLIFrameElement]
> var w = f.contentWindow;
> var O = w.Object;
> var o = new O();
> o instanceof O;
false
> o instanceof Object;
true
> O.getPrototypeOf(o) === Object.prototype;
true
> O.getPrototypeOf(o) === O.prototype;
false
> var o2 = O.create(O.prototype);
> O.getPrototypeOf(o2) === O.prototype;
true
> var A = w.Array;
> var a = new A('x', 'y', 'z');
> a;
x,y,z
> a instanceof A;
false
> a instanceof Array;
true
> var a2 = Object.create(A.prototype);
> a2 instanceof A;
true
When did this regress?

Seems bad, consider prioritizing fix when in hand.

/be
(In reply to Brendan Eich [:brendan] from comment #1)
> When did this regress?

Hi Brendan, is this a regression? Had this once been fixed? Is the problem indeed with "new" or am I misdiagnosing? Are there any workarounds?
Seems new to me, possibly since Firefox 4... Let's make an HTML testcase:

<body>
<script type="application/javascript">
var f = document.createElement('iframe');
document.body.appendChild(f);
var w = f.contentWindow;
var O = w.Object;
var o = new O(),
    o2,
    A,
    a,
    a2;
if (!O.create) {
  Object.create = O.create = function (proto) { return {__proto__: proto}; }
}
var r =
  "o instanceof O is " + (o instanceof O) +
  "\no instanceof Object is " + (o instanceof Object) +
  "\nO.getPrototypeOf(o) === Object.prototype is " + (O.getPrototypeOf(o) === Object.prototype) +
  "\nO.getPrototypeOf(o) === O.prototype is " + (O.getPrototypeOf(o) === O.prototype) +
  "\no2 = O.create(O.prototype) is " + (o2 = O.create(O.prototype)) +
  "\nO.getPrototypeOf(o2) === O.prototype is " + (O.getPrototypeOf(o2) === O.prototype) +
  "\nA = w.Array is " + (A = w.Array) +
  "\na = new A('x', 'y', 'z') is " + (a = new A('x', 'y', 'z')) +
  "\na is " + (a) +
  "\na instanceof A is " + (a instanceof A) +
  "\na instanceof Array is " + (a instanceof Array) +
  "\na2 = Object.create(A.prototype) is " + (a2 = Object.create(A.prototype)).join(',') +
  "\na2 instanceof A is " + (a2 instanceof A);
alert(r);
</script>

Loading this in 3.6 and copying the alert string to /tmp/ff3.6, and doing the same in 8, gives these differences:

diff /tmp/ff*
1,4c1,4
< o instanceof O is true
< o instanceof Object is false
< O.getPrototypeOf(o) === Object.prototype is false
< O.getPrototypeOf(o) === O.prototype is true
---
> o instanceof O is false
> o instanceof Object is true
> O.getPrototypeOf(o) === Object.prototype is true
> O.getPrototypeOf(o) === O.prototype is false
12,13c12,13
< a instanceof A is true
< a instanceof Array is false
---
> a instanceof A is false
> a instanceof Array is true

So yes: regressed. I don't have Firefox 4 at hand but I suspect it regressed then.

/be
OS: Mac OS X → All
Hardware: x86 → All
This is bug 631135, regressed in Firefox 4.  Compartment-per-global, bug 650353, is planned as the fix for this.
Depends on: cpg
Bug 650353 fixed this.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.