Closed Bug 780542 Opened 11 years ago Closed 11 years ago

constructor functions return undefined in web console


(Core :: JavaScript Engine, defect)

17 Branch
Windows XP
Not set



Tracking Status
firefox14 --- affected
firefox15 + verified
firefox16 + verified
firefox17 + verified


(Reporter: watilin, Assigned: bzbarsky)



(Keywords: regression, testcase)


(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Firefox/17.0
Build ID: 20120805030518

Steps to reproduce:

(On Nightly 17.0a1 with a fresh profile)

On a page containing this script :

function F() { this.x = 1; }

I opened the web console and typed "new F()".

Actual results:

the console returned "undefined".

Expected results:

It should have returned "({x:1})".

However, when I type "new window.F()" I get the right result. This bug seems related to although the latter have been resolved.
In the latest Nightly, if I type your instructions in the web console, I see:

[10:43:51.175] function F() { this.x = 1; }
[10:43:51.180] undefined
[10:43:56.231] new F()
[10:43:56.251] ({x:1})
Of course it works when the constructor has been declared into the console.
I figured out it also works when the constructor is used inside another function declared into the page :

function createF() { return new F(); }

When typing "createF()" in the console, I get the correct "({x:1})". It seems that the "new" operator has trouble to work wih the global context.
This page contains the declaration of functions "F" and "createF" to be used in the Web Console.
Attachment #649576 - Attachment mime type: text/plain → text/html
I followed your testcase and I found this regression range:


Suspected bug to confirm:
Boris Zbarsky — Bug 771429. Instead of using bound functions for the functions we get off the sandbox proto, use a function proxy. That allows property gets on the functions to get through. r=bholley
Component: Untriaged → Developer Tools: Console
Ever confirmed: true
Keywords: regression, testcase
This is totally a JS engine bug; I assumed that proxy construction actually worked correctly, but it very much doesn't.
Assignee: nobody → bzbarsky
Blocks: 771429
Component: Developer Tools: Console → JavaScript Engine
Product: Firefox → Core
Requesting tracking for the regression.
Whiteboard: [need review]
Attachment #649704 - Attachment is obsolete: true
Attachment #649704 - Flags: review?(ejpbruel)
Comment on attachment 650145 [details] [diff] [review]
Make construction via a function proxy with an object in the constructor slot actually construct instead of just calling.

Review of attachment 650145 [details] [diff] [review]:

Looking good :-)
Attachment #650145 - Flags: review?(ejpbruel) → review+

Eddy, how do you feel about taking this on branches?  Seems like we need to do this if we want to fix the web console behavior there....
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla17
Comment on attachment 650145 [details] [diff] [review]
Make construction via a function proxy with an object in the constructor slot actually construct instead of just calling.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 771429 
User impact if declined: Calling non-DOM constructors in the web console doesn't
   work right.
Testing completed (on m-c, etc.): Passes attached automated tests.
Risk to taking this patch (and alternatives if risky): I don't know.  Eddy is a
   better source for this.
String or UUID changes made by this patch: None.
Attachment #650145 - Flags: approval-mozilla-beta?
Attachment #650145 - Flags: approval-mozilla-aurora?
Closed: 11 years ago
Resolution: --- → FIXED
For what it's worth, Eddy thinks risk is low.

As far as alternatives if we decide this is too risky, I see several:

1)  Ship with this problem.
2)  Back out bug 771429 and ship with its problem instead of this one.
3)  Back out bug 771429 and fix it in some other way.  I'm not quite sure how, and it
    would almost certainly be riskier than this patch.
4)  Change the function proxy code so consumers can pick between the old and new behavior
    and only opt in sandboxes to the new behavior for now.  This is probably doable if
    really needed.  I think.
Comment on attachment 650145 [details] [diff] [review]
Make construction via a function proxy with an object in the constructor slot actually construct instead of just calling.

I think we're ok to not do a backout and to take this on branches.
Attachment #650145 - Flags: approval-mozilla-beta?
Attachment #650145 - Flags: approval-mozilla-beta+
Attachment #650145 - Flags: approval-mozilla-aurora?
Attachment #650145 - Flags: approval-mozilla-aurora+
Pushed to aurora:

Hopefully wont be backed out this time
Whiteboard: status-firefox15
Whiteboard: status-firefox15
For what it's worth, it looks like the first thing that got pushed was the old, obsolete, patch.  The one that didn't have approvals...
Keywords: verifyme
Able to see the issue on FF 15b4.
Verified fixed on FF 15b5 on Win XP and Win 7 using the STR in comment 0 and the testcase.
Removing verifyme for now. Please add again if you can think of any edge cases related to this that should be tested.
Keywords: verifyme
QA Contact: paul.silaghi
Keywords: verifyme
Verified fixed on:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0b4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 17.0a2 (2012-09-24)
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.