Closed Bug 1111170 Opened 10 years ago Closed 10 years ago

ArrayIteratorPrototype.next and StringIteratorPrototype.next should work on cross-compartment wrappers for iterators

Categories

(Core :: JavaScript: Standard Library, defect)

Product:
Core
Component:
JavaScript: Standard Library
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37

People

(Reporter: bzbarsky, Assigned: bzbarsky)

Details

Attachments

(2 files)

testcases
1.76 KB, patch
Details | Diff | Splinter Review
Make ArrayIterator and StringIterator next() methods work even with cross-compartment wrappers for those objects as this values
5.82 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Spun off from bug 924059. Testcase: var iter = [][Symbol.iterator](); // Should return { value: undefined, done: true } // Instead signals TypeError: ArrayIterator next called on incompatible [object Array Iterator] iter.next.call(newGlobal().eval('[][Symbol.iterator]()'))
Attached patch testcasesSplinter Review
The only sane implementation thought I've had so far is to have some way to say If this object does not have the expected class, then: 1) If it's not a wrapper, throw. 2) If we can't js::CheckedUnwrap, throw. 3) Delegate to this same method in the compartment of the underlying object. 4) Re-wrap the value on its way out. Presumably this would be some intrinsic we call... Step 3 is the interesting one.
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Comment on attachment 8535987 [details] [diff] [review] Make ArrayIterator and StringIterator next() methods work even with cross-compartment wrappers for those objects as this values Review of attachment 8535987 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/tests/ecma_6/String/iterator_edge_cases.js @@ +1,1 @@ > +// Tests that we can use %StringIteratorPrototype%.next on a Would be nice duplicating the ArrayIterator confusion test over here, too. %StringIteratorPrototype% too is an ordinary object, so it all should apply mutatis mutandis. ::: js/src/vm/SelfHosting.cpp @@ +1102,5 @@ > > JS_FN("NewArrayIterator", intrinsic_NewArrayIterator, 0,0), > JS_FN("IsArrayIterator", intrinsic_IsArrayIterator, 1,0), > + JS_FN("CallArrayIteratorMethodIfWrapped", > + CallNonGenericSelfhostedMethod<Is<ArrayIteratorObject>>, 2, 0), I guess we want the 2 aligned underneath the 1 two lines up. Same below.
Attachment #8535987 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/5e513880db47
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: