993030 - Bound function |instanceof| doesn't work correctly across globals

Status: REOPENED

(Core :: JavaScript: Standard Library, defect)

Description

[Jeff Walden [:Waldo]]

There's a loop in fun_hasInstance:

    while (obj->is<JSFunction>() && obj->isBoundFunction())
        obj = obj->as<JSFunction>().getBoundFunctionTarget();

This corresponds to [[HasInstance]] on bound functions, delegating to the [[HasInstance]] of the bound functions' targets.  But you can bind functions from other globals, so there might be cross-compartment wrappers showing up here.  In that case the loop will stop early, on a bound function.  Because bound functions don't have a .prototype property, assuming an otherwise plain-vanilla environment, the [[Get]] for the "prototype" property of the final (in the non-buggy case) non-bound function will evaluate to |undefined|, and thus will hit ES5.1 15.3.5.3 step 3 and throw a TypeError.  Testcase, which should evaluate to true but instead throws:

[jwalden@find-waldo-now src]$ dbg/js/src/js
js> var g = newGlobal();
js> var otherBound = g.evaluate("Boolean.bind();");
js> var bound = Function.prototype.bind.call(otherBound);
js> new g.Boolean() instanceof bound
typein:4:0 TypeError: 'prototype' property of bound is not an object

Unless I'm misreading something here, that is, which is certainly a possibility.

I seem to remember claims about making instanceof work across windows so that |new Boolean() instanceof g.Boolean|.  If those have actually reached fruition in ES6, simply substituting a user-defined function instead of Boolean here will produce similar bugginess.

Comment 1

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.