Getters fail (silently) across different JavaScript contexts/globals

RESOLVED INACTIVE

Status

()

Core
XPConnect
--
major
RESOLVED INACTIVE
11 years ago
27 days ago

People

(Reporter: Uri Sarid, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko Minefield/3.0b1

If you have a constructor function, and getters and methods defined on its prototype, all in a BackstagePass, and you try to construct an object with this constructor in e.g. a ChromeWindow, the getters fail (silently), but everything else works. See the example below. 

You can invoke the getter just fine (i.e. get the property) as long as you do that within the BackstagePass, but if you try to use the getter from a function defined in a different context (specifically a ChromeWindow) the JavaScript just fails, silently. The object created from the constructor seems fine, and any methods on the object work fine, and you can even ask the object for the getter using the __lookupGetter__ method that works fine, but if you actually use the getter the JS engine stops running the rest of your code.



Reproducible: Always

Steps to Reproduce:
For example, create the following function in your BackstagePass:

function testGetter(win, useMethod)
{
	function Foo()
	{
		this._id = 42;
	}
	Foo.prototype = { get id() { return this._id; }, testMethod: function() { return 7; }};
	var result, result2;
	if (win)
	{
		var script = win.document.createElement("script");
		win.Foo = Foo;
		win.Foo.prototype = Foo.prototype;
		script.innerHTML = 'var foo = new Foo(); window.result = foo.' + (useMethod ? 'testMethod()' : 'id') + '; window.result2 = "after";';
		win.document.body.appendChild(script);
		result = win.result;
		result2 = win.result2;
	}
	else
	{
		var foo = new Foo();
		result = useMethod ? foo.testMethod() : foo.id;
		result2 = "after";
	}
	return [result, result2];
}

Note that it allows creating a Foo-type object in either its own global or in a passed-in window. 
Actual Results:  
Here's what I find:

use BackstagePass, use method: returns [7, "after"]
use BackstagePass, use getter: returns [42, "after"]
use ChromeWindow, use method: returns [7, "after"]
use ChromeWindow, use getter: returns [,]



Expected Results:  
So not only does the getter not return 42, but after you try to use it the rest of your code (within the ChromeWindow) is no longer executing.

Could this be a security issue – related to http://groups.google.com/group/mozilla.dev.tech.js-engine/browse_thread/thread/578f009fa8be530f/8df1c86923ddc4e1?lnk=gst&q=getter#8df1c86923ddc4e1?

Comment 1

27 days ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 27 days ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.