Open
Bug 993030
Opened 10 years ago
Updated 2 years ago
Bound function |instanceof| doesn't work correctly across globals
Categories
(Core :: JavaScript: Standard Library, defect)
Core
JavaScript: Standard Library
Tracking
()
REOPENED
People
(Reporter: Waldo, Unassigned)
References
Details
There's a loop in fun_hasInstance: while (obj->is<JSFunction>() && obj->isBoundFunction()) obj = obj->as<JSFunction>().getBoundFunctionTarget(); This corresponds to [[HasInstance]] on bound functions, delegating to the [[HasInstance]] of the bound functions' targets. But you can bind functions from other globals, so there might be cross-compartment wrappers showing up here. In that case the loop will stop early, on a bound function. Because bound functions don't have a .prototype property, assuming an otherwise plain-vanilla environment, the [[Get]] for the "prototype" property of the final (in the non-buggy case) non-bound function will evaluate to |undefined|, and thus will hit ES5.1 15.3.5.3 step 3 and throw a TypeError. Testcase, which should evaluate to true but instead throws: [jwalden@find-waldo-now src]$ dbg/js/src/js js> var g = newGlobal(); js> var otherBound = g.evaluate("Boolean.bind();"); js> var bound = Function.prototype.bind.call(otherBound); js> new g.Boolean() instanceof bound typein:4:0 TypeError: 'prototype' property of bound is not an object Unless I'm misreading something here, that is, which is certainly a possibility. I seem to remember claims about making instanceof work across windows so that |new Boolean() instanceof g.Boolean|. If those have actually reached fruition in ES6, simply substituting a user-defined function instead of Boolean here will produce similar bugginess.
Comment 1•6 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Resolution: INACTIVE → ---
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•