Closed Bug 720973 Opened 12 years ago Closed 12 years ago

str.replace(regexp, newSubStr) fails in evalInSandbox

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 688069

People

(Reporter: alice0775, Unassigned)

Details

Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/cfaee7b043f7
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120124 Firefox/12.0a1 ID:20120124031127

str.replace(regexp, newSubStr) fails in evalInSandbox

Step To Reproduce:
1. Enable devtools.chrome.enabled = true;
2. Open Scrachpad
3. Paste the following Javascript code
4. Enviroment > Browser
5. Execute > run

var evalString = <![CDATA[
{
    var regExp     = RegExp("[bcd]","");
    var testStr    = "aacee";
    var resultStr  = testStr.replace(regExp, "");

    alert('resultStr is: "' + resultStr + '"');
}
]]>.toString();
var win = content.wrappedJSObject;
var sb = new Components.utils.Sandbox(win);
sb.window = win;
Components.utils.evalInSandbox("with(window){" + evalString + "}", sb);


Actual result:
  resultStr is: "aacee"

Expected result:
  resultStr is: "aaee"


============
On the other hand, eval() works as expected.

var evalString = <![CDATA[
{
    var regExp     = RegExp("[bcd]","");
    var testStr    = "aacee";
    var resultStr  = testStr.replace(regExp, "");

    alert('resultStr is: "' + resultStr + '"');
}
]]>.toString();
eval(evalString);
RegExpGuard::init does this:

  ValueIsRegExp(vp[2])

which does:

    return !v.isPrimitive() && v.toObject().isRegExp();

but I bet in this case vp[2] is a security wrapper around a RegExp object, since the code in the sandbox is running in the sandbox compartment but the RegExp constructor is being gotten off the content window.

This seems like it'll bite compartment-per-global too, right?
Status: UNCONFIRMED → NEW
Ever confirmed: true
There is already a bug blocking c-p-g (bug 688069).  The reason it wasn't fixed with the rest of these (bug 683361) is because we needed a single-threaded runtime to simplify the implementation.  This bug should be fixed soon now that runtime is single-threaded.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.