Closed
Bug 785941
Opened 12 years ago
Closed 9 years ago
Nodelist length getter seems to work even if the this object is not a nodelist, because getters on a proxy's prototype chain are always handed the proxy, not the real thisObj
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
(Whiteboard: [js:p2])
Attachments
(2 files)
|
3.03 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.96 KB,
patch
|
Ms2ger
:
review+
|
Details | Diff | Splinter Review |
Consider this testcase
<script name="foo">
var bug = {};
bug.__proto__ = document.getElementsByTagName("script");
try {
alert(bug.length)
} catch(e) {
console.log(e.message);
}
</script>
I believe per spec this should throw, but it alerts 1 instead. When we land in length_getter, the "this" object is already the proxy. I don't understand why that is; that seems broken.
|
||
Comment 1•12 years ago
|
||
I agree it should throw.
|
|
||
Comment 2•12 years ago
|
||
But I wonder if it would be more useful not to throw, but to delegate to an object of the right type in the prototype chain. We could make the getter and setter functions of the accessor properties for IDL attributes and operations look up the prototype chain if the this object they get isn't of the right type.
|
Assignee | |
Comment 3•12 years ago
|
||
Gecko used to sort of do that. We removed it, because it slows down the DOM in the non-proxy case, significantly complicates implementation (the former is a result of the latter), and isn't required on the web in practice. I would not be particularly interested in adding it back for most DOM objects.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Well, correction. We _could_ make it work for this-unwrapping. We definitely do not want to do it for argument unwrapping.
|
|
||
Comment 5•12 years ago
|
||
I see. Well, it's probably not worth doing if it would be inconsistent like that.
|
|
||
Comment 6•12 years ago
|
||
(By which I mean, you can get properties from them but can't pass them to other functions.)
|
||
Comment 7•12 years ago
|
||
proxy_LookupGeneric uses has(...) to check whether the proxy has the property, and if has(...) returns true then it sets objp to the proxy, even if the property was found on the proto.
|
|
||
Comment 8•12 years ago
|
||
(In reply to Peter Van der Beken [:peterv] from comment #7)
> even if the property was found on the proto.
Actually, that's ok but the problem is that we then call the getter with *objp as the this (in js_GetPropertyHelperInline).
|
|
||
Comment 9•12 years ago
|
||
In particular, we end up in this block in js_GetPropertyHelperInline:
if (!obj2->isNative()) {
return obj2->isProxy()
? Proxy::get(cx, obj2, receiver, id, vp)
: JSObject::getGeneric(cx, obj2, obj2, id, vp);
}
|
|
Assignee | |
Comment 10•12 years ago
|
||
That sounds like a JS engine bug to me, then... We should be getting the original object in our getter, not the proxy.
Assignee: nobody → general
Component: DOM → JavaScript Engine
Summary: Nodelist length getter seems to work even if the this object is not a nodelist → Nodelist length getter seems to work even if the this object is not a nodelist, because getters on a proxy
|
|
Assignee | |
Updated•12 years ago
|
Summary: Nodelist length getter seems to work even if the this object is not a nodelist, because getters on a proxy → Nodelist length getter seems to work even if the this object is not a nodelist, because getters on a proxy's prototype chain are always handed the proxy, not the real thisObj
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [js:p2]
|
||
Updated•10 years ago
|
Assignee: general → nobody
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(efaustbmo)
|
|
Assignee | |
Comment 11•10 years ago
|
||
Jason, you've been working on proxy correctness stuff, right?
Flags: needinfo?(jorendorff)
|
||
Comment 12•10 years ago
|
||
Could GetPropertyOnPrototype be the problem? It looks like that just drops the receiver on the floor.
|
|
||
Comment 13•10 years ago
|
||
Yep, this makes it throw.
|
|
Assignee | |
Comment 14•10 years ago
|
||
Aha! See bug 1118360.
I do think the issue used to be higher upstream in the JS engine, but sounds like that got fixed in the interim.
|
|
||
Comment 15•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #14)
> Aha! See bug 1118360.
>
> I do think the issue used to be higher upstream in the JS engine, but sounds
> like that got fixed in the interim.
Agreed.
|
||
Updated•10 years ago
|
Component: JavaScript Engine → DOM
|
|
Assignee | |
Comment 16•9 years ago
|
||
This got fixed by passing the actual receiver in GetPropertyOnPrototype. That happened in bug 603201.
Need to add a test.
Depends on: 603201
|
|
Assignee | |
Updated•9 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Comment 17•9 years ago
|
||
Attachment #8735455 -
Flags: review?(Ms2ger)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
|
|
||
Comment 18•9 years ago
|
||
Comment on attachment 8735455 [details] [diff] [review]
Add a test for
Review of attachment 8735455 [details] [diff] [review]:
-----------------------------------------------------------------
::: testing/web-platform/tests/dom/collections/HTMLCollection-as-proto-length-get-throws.html
@@ +1,3 @@
> +<!doctype html>
> +<meta charset=utf-8>
> +<title></title>
A title would be nice.
Attachment #8735455 -
Flags: review?(Ms2ger) → review+
|
||
Comment 19•9 years ago
|
||
|
||
Comment 20•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•