Closed Bug 647412 Opened 9 years ago Closed 5 years ago

evalcx+trap = "Error: can't convert f to an integer"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1031876

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: regression, testcase)

var sandbox = evalcx("");
sandbox.trap = trap;
sandbox.print = print;
print(evalcx("var f = function(n){return n*n;}; trap(f,0,''); f(3);", sandbox));

Result:   Error: can't convert f to an integer
Expected: 9

This breaks the part of jsfunfuzz that makes sure trap() doesn't affect program behavior.

The first bad revision is:
changeset:   3aaaa21012c8
user:        Jason Orendorff
date:        Wed Jun 23 16:35:10 2010 -0500
summary:     Bug 563099 - Compartments and wrappers API. r=gal.
Hmm. This is calling the initial global compartment's trap function, but passing it a function defined in the sandbox.

The trap function therefore sees a wrapper of f. This is the main problem.

The other problem is that trap doesn't always generate sane error messages. You'll get the same bizarre "can't convert" error message from
  trap(new Date, 0, '')
As a workaround, write:

  var sandbox = newGlobal("new-compartment");
  print(sandbox.eval("var f = function(n){return n*n}; trap(f,0,''); f(3);"));

Globals created by newGlobal have all the shell builtins, including trap and print. Therefore the trap function being called here is same-compartment with f, so it works.
The workaround works in jsfunfuzz :)  I found some new trap bugs:

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=656381,656490,656555,656847,657524
Assignee: general → nobody
trap() was removed in https://hg.mozilla.org/mozilla-central/rev/a5f2a50967b0 (bug 1031876)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1031876
You need to log in before you can comment on or make changes to this bug.