Nodelist prototype property getters/setters are called with wrong |this|

RESOLVED FIXED in Firefox 10

Status

()

Core
JavaScript Engine
P1
normal
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: bz, Assigned: bz)

Tracking

({regression})

Trunk
mozilla10
regression
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox10+ fixed)

Details

Attachments

(3 attachments, 1 obsolete attachment)

See the attached testcase.  It should alert "[object HTMLBodyElement]", not undefined, and does in fx7.

This would be really easy to fix in the nodelist proxy code, except that the JS engined doesn't expose the APIs that do the right thing (that is, looking up the prop on the proto but using the proxy itself as |this|) to consumers.

I suspect we need to fix this for fx10....
Created attachment 570801 [details]
Testcase
Created attachment 570806 [details]
An even worse manifestation of this problem

We forward the fast paths to proto if it's been tampered with, so this testcase throws when it shouldn't.
I'm happy to take this given some indication of what public APIs would be acceptable here for jseng....
JSBool JS_ProxyGetPropertyTo(JSContext* cx, JSObject* obj, T propname, JSObject* onBehalfOf, jsval* vp);

perhaps, conditioned on a comment by it in jsapi.h explaining the exact meanings of obj and onBehalfOf, could do it.
Where T is a jsid for now?  Or would you prefer separate uint32 and property name variants?  If so, what should T be for the name variant?
Hardware: ARM → All
Version: 7 Branch → Trunk
T would be jsid and uint32 for now.  I need to add JSPropertyName to JSAPI so there could be a third variant for property names known not to be uint32 (and not special, but nothing anyone cares about is special) before you could add a JSPropertyName variant.
Created attachment 570841 [details] [diff] [review]
When forwarding gets to the prototype in nodelists, make sure to use the right |this|.

Now that I look at the code, maybe the api should use 'Forward' instead of 'Proxy'?
Attachment #570841 - Flags: review?(peterv)
Attachment #570841 - Flags: review?(jwalden+bmo)
Created attachment 570842 [details] [diff] [review]
Including the test file too
Attachment #570842 - Flags: review?(peterv)
Attachment #570842 - Flags: review?(jwalden+bmo)
Attachment #570841 - Attachment is obsolete: true
Attachment #570841 - Flags: review?(peterv)
Attachment #570841 - Flags: review?(jwalden+bmo)
Assignee: general → bzbarsky
Priority: -- → P1
Whiteboard: [need review]
Blocks: 698495
tracking-firefox10: --- → ?
Keywords: regression
Comment on attachment 570842 [details] [diff] [review]
Including the test file too

Review of attachment 570842 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsapi.h
@@ +3431,5 @@
>  extern JS_PUBLIC_API(JSBool)
>  JS_GetPropertyByIdDefault(JSContext *cx, JSObject *obj, jsid id, jsval def, jsval *vp);
>  
>  extern JS_PUBLIC_API(JSBool)
> +JS_ProxyGetPropertyTo(JSContext *cx, JSObject *obj, jsid id, JSObject *onBehalfOf, jsval *vp);

I suggested this name.  In isolation it's a reasonable name.  But now that I think about it, this kind of clashes a bit with Proxy objects and all that nonsense.  What do you think of JS_ForwardGetPropertyTo instead, mutatis mutandis for element?
Attachment #570842 - Flags: review?(jwalden+bmo) → review+
Ahahaha, we had the same idea!  :-D  That's what I get for not reading bug commentas.
> Ahahaha, we had the same idea!

Yep.  I'll make that change.  ;)
Attachment #570842 - Flags: review?(peterv) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/73baf8c58b95
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla10
https://hg.mozilla.org/mozilla-central/rev/73baf8c58b95
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
tracking-firefox10: ? → +

Updated

5 years ago
status-firefox10: --- → fixed
You need to log in before you can comment on or make changes to this bug.