Closed Bug 33304 Opened 26 years ago Closed 25 years ago

DOM idlc must generate JS_InstanceOf tests in native methods

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: marshall, Assigned: jst)

References

Details

(Whiteboard: [nsbeta3-][rtm-])

This code will freeze the browser: <html><body><div id="test"></div><script> g = document.getElementById; alert(g('test')); </script></body></html>
This is a bad DOM idlc bug. Consider the code idlc generates for document.getElementById: HTMLDocumentGetElementById(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) { nsIDOMHTMLDocument *nativeThis = (nsIDOMHTMLDocument*)nsJSUtils::nsGetNativeThis(cx, obj); Egads! An old-style C cast! Of course, per ECMA and JS since I first created JS, the 'this' parameter bound for a call g() where g = document.getElementById at the top-level (i.e., g is a global variable) must be the global object, aka window. Now the window object's private data is *not* of a C++ type cast-able to nsIDOMHTMLDocument -- of course, that interface is not even implemented by nsGlobalWindowImpl. We need idlc to generate code for native methods (but not for getProperty and setProperty JSClass hooks, or other JSClass hooks) that looks like this: HTMLDocumentGetElementById(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) { if (!JS_InstanceOf(cx, obj, &HTMLDocumentClass, argv)) return JS_FALSE; nsIDOMHTMLDocument *nativeThis = NS_STATIC_CAST(nsIDOMHTMLDocument*, nsJSUtils::nsGetNativeThis(cx, obj)); Reassigning to jst@netscape.com, cc'ing jband and waterson in case my C++ chin needs wiping. /be
Assignee: rogerl → jst
Changing summary to summarize the real problem. /be
Summary: a=document.getElementByID; b=a('div'); freezes browser → DOM idlc must generate JS_InstanceOf tests in native methods
This doesn't seem to cause any serious problems so off beond beta2
Status: NEW → ASSIGNED
Target Milestone: --- → M18
Nominating for nsbeta3.
Keywords: nsbeta3
*** Bug 47402 has been marked as a duplicate of this bug. ***
According to bug 47402 and my little finger, lack of JS_InstanceOf checking can indeed lead to crashes. /be
Keywords: crash
Yes, you did cc me for a reason... This static_cast wouldn't compile... nsIDOMHTMLDocument *nativeThis = NS_STATIC_CAST(nsIDOMHTMLDocument*, nsJSUtils::nsGetNativeThis(cx, obj)); If you can't trust that the object is of the right type at this point in the code then you need to QI - our standin for dynamic_cast.
Marking nsbeta3- for now.
Whiteboard: [nsbeta3-]
Updating component from JS Engine to DOM Level 0
Status: ASSIGNED → NEW
Component: Javascript Engine → DOM Level 0
QA Contact: rginda → desale
Status: NEW → ASSIGNED
Nominating for rtm
Keywords: rtm
Marking rtm-.
Whiteboard: [nsbeta3-] → [nsbeta3-][rtm-]
Nominating for nsbeta1, since nsbeta2,3, dogfood, rtm keywords are going to be cleared soon and important bugs could loose attention. I think this one deserves nsbeta1 nomination.
Keywords: crash, nsbeta3, rtmnsbeta1
Since we're moving over to using XPConnect for the DOM too the code generated by IDLC (i.e. the code with the error that this bug is all about) will soon be removed, marking WONTFIX.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WONTFIX
WONTFIX.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.