Closed
Bug 606875
Opened 14 years ago
Closed 14 years ago
Object.prototype.toString no longer works for arrays created in sandboxes or windows from a different principal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta7+ |
People
(Reporter: kmag, Assigned: gal)
References
Details
(Keywords: regression)
Attachments
(1 file)
|
609 bytes,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b8pre) Gecko/20101022 Firefox/4.0b8pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b8pre) Gecko/20101022 Firefox/4.0b8pre
Until a nightly sometime after 20101012, Array.isArray correctly returned true for arrays created in content documents or sandboxes. Now it returns false, and further, Object.prototype.toString.call returns "[object Object]" rather than "[object Array]". The same is true for arrays created in chrome documents passed to the same functions from a content window.
The following is what I currently see:
js> Array.isArray(content.wrappedJSObject.Array())
false
js> Object.prototype.toString.call(content.wrappedJSObject.Array())
"[object Object]"
js> Array.isArray(Cu.evalInSandbox("[]", Cu.Sandbox(window, { wantXrays: false })))
false
js> Object.prototype.toString.call(Cu.evalInSandbox("[]", Cu.Sandbox(window, { wantXrays: false })))
"[object Object]"
js> content.wrappedJSObject.Array.isArray([])
false
js> content.wrappedJSObject.Object.prototype.toString.call([])
"[object Object]"
js> content.wrappedJSObject.Array.isArray(content.wrappedJSObject.Array())
true
js> content.wrappedJSObject.Object.prototype.toString.call(content.wrappedJSObject.Array())
"[object Array]"
The following is what I used to see, and what I'd expect:
js> Array.isArray(content.wrappedJSObject.Array())
true
js> Object.prototype.toString.call(content.wrappedJSObject.Array())
"[object Array]"
js> Array.isArray(Cu.evalInSandbox("[]", Cu.Sandbox(window, { wantXrays: false })))
true
js> Object.prototype.toString.call(Cu.evalInSandbox("[]", Cu.Sandbox(window, { wantXrays: false })))
"[object Array]"
js> content.wrappedJSObject.Array.isArray([])
true
js> content.wrappedJSObject.Object.prototype.toString.call([])
"[object Array]"
js> content.wrappedJSObject.Array.isArray(content.wrappedJSObject.Array())
true
js> content.wrappedJSObject.Object.prototype.toString.call(content.wrappedJSObject.Array())
"[object Array]"
The only method that currently works is to check obj.constructor.name === "Array".
Reproducible: Always
|
||
Comment 1•14 years ago
|
||
Sounds like compartments fallout?
Assignee: nobody → general
Blocks: compartments
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: regression
QA Contact: general → general
|
Assignee | |
Comment 2•14 years ago
|
||
I recently fixed this. isArray should be true with a TM build. Can you verify?
|
Reporter | |
Comment 3•14 years ago
|
||
Yes, Array.isArray works as expected in the latest TM nightly. Object.prototype.toString still doesn't, though.
|
|
Assignee | |
Comment 4•14 years ago
|
||
Alright, lets retarget this bug to O.p.toString then. You might want to try out Function.p.toString as well. That can have weird effects too.
|
|
Reporter | |
Comment 5•14 years ago
|
||
F.p.toString seems to work as expected, but I would be less worried if it didn't. O.p.toString seems to be one of the more common methods of detecting Arrays these days (in code not targeting ES5, at any rate), and I use it in a few places to detect Sandbox objects and Errors that have propagated from Sandbox or module contexts. Since it also seems to be in the pale of this bug, it seems that XML objects from other contexts are similarly affected. typeof xml returns "object", String(x) throws an exception "String(x) is not a function", and O.p.toString.call(x) returns "[object Object]" or in some circumstances "[object Undefined]".
|
||
Updated•14 years ago
|
Summary: Array.isArray no longer works for arrays created in sandboxes or windows from a different principal → Object.prototype.toString no longer works for arrays created in sandboxes or windows from a different principal
|
|
||
Updated•14 years ago
|
blocking2.0: ? → beta8+
|
||
Comment 6•14 years ago
|
||
Would this have extension compatibility effects? IF not, happy to move back to beta8+
blocking2.0: beta8+ → beta7+
|
|
Assignee | |
Comment 7•14 years ago
|
||
Kris, can I get some help from you testing a fix?
|
|
Assignee | |
Comment 8•14 years ago
|
||
Assignee: general → gal
|
|
Assignee | |
Updated•14 years ago
|
Attachment #486172 -
Flags: review?(mrbkap)
|
||
Updated•14 years ago
|
Attachment #486172 -
Flags: review?(mrbkap) → review+
|
|
Reporter | |
Comment 9•14 years ago
|
||
attachment 486172 [details] [diff] [review] works for me, but recent builds from mozilla-central are crashing quite badly for me, so until I find a stable build I can't say much more than that. As for the E4X problems I mentioned above, I think I'll open another bug, since I've noticed some other severe problems when dealing from XML from foreign contexts. beltzner: I think it would have extension compatibility effects. The Array.isArray problem broke some parts of my extension quite badly, and I'm fairly certain that checking O.p.toString.call(obj) == '[object Array]' is a rather common way of checking for arrays in extension code, especially given the number of different contexts we tend to have to deal with. I know that it's quite common in the wild where it's not nearly as useful.
|
||
Comment 11•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1107ae661cc6
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•