Last Comment Bug 654370 - instanceof operators doesn't work in a sandbox
: instanceof operators doesn't work in a sandbox
Status: RESOLVED FIXED
fixed-in-tracemonkey
:
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-02 22:28 PDT by Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08
Modified: 2012-01-29 00:08 PST (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Proposed fix (3.87 KB, patch)
2011-05-17 00:28 PDT, Blake Kaplan (:mrbkap)
gal: review+
Details | Diff | Splinter Review

Description Jan Honza Odvarko [:Honza] PTO 07/23 - 08/08 2011-05-02 22:28:11 PDT
I am facing a problem when using instanceof operator within a sandbox,
see the following example:

var Cu = Components.utils;
var sandbox = new Cu.Sandbox(window);
var script = "function (obj, type) { return obj instanceof type; }";
var instanceOf = Cu.evalInSandbox(script, sandbox, "1.8", "Test", 1);
instanceOf({}, Window);

I have evaluated this code in Error Console (Tools -> Error Console)
command line.
(just to note that changing wantXrays doesn't make any difference)

Firefox 3.6 returns false
Firefox 4.0 returns true
Firefox 5.0 (Aurora) returns true

So, only Firefox 3.6 works as expected.

Related thread:
http://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/d082eaff53167a84/394e7b92d364e08f?hl=en#394e7b92d364e08f

Honza
Comment 1 Boris Zbarsky [:bz] 2011-05-03 06:27:28 PDT
Blake, Andreas, this sounds like proxy fail of some sort...
Comment 2 Blake Kaplan (:mrbkap) 2011-05-17 00:28:06 PDT
Created attachment 532885 [details] [diff] [review]
Proposed fix

Everywhere except in jswrapper that we call into the JSClass's hasInstance hook, we initialize the out parameter to false. I don't know if that's an implicit part of the API, but it lead to us reading an uninitialized boolean because nsDOMClassInfo depended on this behavior.

It's a little weird to have a guaranteed-initialized out parameter coming from the JS engine, so I fixed nsDOMClassInfo to not depend on it, but also initialized the out param in the proxy code to be on the safe side.
Comment 3 Blake Kaplan (:mrbkap) 2011-05-17 06:56:36 PDT
http://hg.mozilla.org/tracemonkey/rev/57ef10a3d925 (gal sent me an r=him over e-mail as he's without a net connection at the moment).
Comment 4 Rob Campbell [:rc] (:robcee) 2011-05-17 09:18:07 PDT
was he in an airplane at the time?
Comment 5 Chris Leary [:cdleary] (not checking bugmail) 2011-05-23 14:12:33 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/57ef10a3d925

Note You need to log in before you can comment on or make changes to this bug.