Closed
Bug 328012
Opened 18 years ago
Closed 18 years ago
"Permission denied to get property ChromeWindow.PropertyIterator"
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: verified1.8.0.4, verified1.8.1, Whiteboard: [patch])
Attachments
(2 files)
|
1.97 KB,
patch
|
brendan
:
review+
brendan
:
approval-branch-1.8.1+
jay
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
|
50.53 KB,
text/plain
|
Details |
To reproduce:
javascript:try { for (i in focus.prototype.toString); } catch(e){alert(e);}
Result:
Permission denied to get property ChromeWindow.PropertyIterator
Expected:
No error thrown?
I don't think focus.prototype.toString is a ChromeWindow, so I don't understand why I'm not being allowed to iterate over its properties.
I'm testing using a Mac trunk debug build.
|
Assignee | |
Comment 1•18 years ago
|
||
This is the return of the PropertyIterator (also see bug 323833). We're again trying to create the property iterator to iterate over the toString function, using the toString function's object as the parent. Note, however, that the function was created with a parent leading up to the hidden (chrome) window. Then, we try to resolve the PropertyIterator constructor using its parent as a starting point, and find it on the ChromeWindow, except that we're content, so the ssm throws. I think there might be a hackish solution: to create the property iterator with the parent being the current global object and stick the iteree into the parent slot once the iterator's been created. I'm not sure how happy I am with that solution (note: this solution also breaks if we ever do a security check on the property iterator, which I don't believe happens).
|
||
Comment 2•18 years ago
|
||
So how come the focus function's parent chain goes to the hidden window? Is it because it's actually on Window.prototype?
|
|
Assignee | |
Updated•18 years ago
|
OS: MacOS X → All
Priority: -- → P3
Hardware: Macintosh → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
|
|
Assignee | |
Comment 3•18 years ago
|
||
This is my proposed fix (which I found lying around in one of my trees!). To be clear, the function's parent chain doesn't point to the chrome window. Instead, first note that the function, when accessed, is cloned. Resolving "prototype" on the clone will create a new object (still parented at the original content window) to return, but whose __proto__ points at the original function's prototype object (which is parented to the chrome window. Since toString exists on the original prototype object, we don't create a new toString function for the clone's prototype, and so accessing focus.prototype.toString finds the chrome-parented toString. This patch works by first attempting to resolve the PropertyIterator constructor on the regular window (using the content led scope chain as a starting point) instead of starting at the parent (chrome-parented toString).
|
||
Comment 4•18 years ago
|
||
Comment on attachment 215953 [details] [diff] [review] Proposed fix r=me, glad you found this! I'd forgotten about it. /be
Attachment #215953 -
Flags: review?(brendan)
Attachment #215953 -
Flags: review+
Attachment #215953 -
Flags: approval1.8.0.3?
Attachment #215953 -
Flags: approval-branch-1.8.1+
|
|
Assignee | |
Comment 5•18 years ago
|
||
Fix checked into trunk. I'm changing the component to reflect where the bug was fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Component: DOM → JavaScript Engine
Resolution: --- → FIXED
|
||
Comment 6•18 years ago
|
||
Comment on attachment 215953 [details] [diff] [review] Proposed fix >+ propobj->slots[JSSLOT_PARENT] = obj; MSVC complains about this line: jsinterp.c(2484) : warning C4047: '=' : 'jsval' differs in levels of indirection from 'JSObject *' obj was set in line 2436: obj = JSVAL_TO_OBJECT(sp[i]); Shouldn't slots[JSSLOT_PARENT] always be a jsval?
|
|
Assignee | |
Comment 7•18 years ago
|
||
For the record, brendan checked in the fix for the warning.
|
||
Comment 8•18 years ago
|
||
Comment on attachment 215953 [details] [diff] [review] Proposed fix Please check in promptly on the 1.8.0 branch. Thanks!
Attachment #215953 -
Flags: approval1.8.0.3? → approval1.8.0.3+
|
|
Assignee | |
Comment 9•18 years ago
|
||
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.3,
fixed1.8.1
|
||
Comment 10•18 years ago
|
||
Checking in js1_5/Regress/regress-328012.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-328012.js,v <-- regress-328012.js initial revision: 1.1 done
Flags: in-testsuite+
|
|
||
Comment 11•18 years ago
|
||
verified fixed 20060425 browser win/mac/linux 1.8.0.4, 1.8.1, 1.9a1
Status: RESOLVED → VERIFIED
|
|
||
Comment 12•18 years ago
|
||
I am still getting a number of ChromeWindow related errors on the trunk. Blake, what would you like me to do with these (and no, inserting them into body cavities is not an option) ?
|
|
Assignee | |
Comment 13•18 years ago
|
||
Bob, could you open new a new bug on those errors, please?
|
|
||
Comment 14•18 years ago
|
||
(In reply to comment #13) > Bob, could you open new a new bug on those errors, please? > Sure, I don't seem to be able to reproduce by hand at the moment. I'll file if they still show up in the next run.
You need to log in
before you can comment on or make changes to this bug.
Description
•