Comment #4 on issue 2268 by [email protected]: Support the correct
instance-of check for DOM methods
http://code.google.com/p/v8/issues/detail?id=2268
To give a short summary of the whole story: Getting rid of
v8::Arguments::Holder() is not a feasible option because the DOMWindow
object (which is the holder for native properties) is used as a compatible
receiver in v8::Signature for functions installed on the global object.
This means the implicit instance-of check will make sure the DOMWindow is
passed via v8::Arguments::Holder() whereas the GlobalProxy is passed via
v8::Arguments::This(). So Chrome actually relies heavily on the (Holder !=
This) behavior. However this prototype chain is hidden from JavaScript and
cannot be mutated from within JavaScript. The changes make sure that the
prototype chain also cannot be extended from within JavaScript.
This is how the prototype chain looks like for DOMWindow:
GlobalProxy ---> GlobalObject ---> DOMWindow ---> Window
| (1) (2) | (3)
| |
args.This() args.Holder()
The prototype link (1) and (2) are hidden from JavaScript whereas (3) is
visible to JavaScript. Most DOM methods are correctly installed on Window,
but only accept the GlobalProxy as a valid receiver now. The following
examples will throw an implicit TypeError now:
var div = document.createElement("div");
var obj = Object.create(div);
obj.focus(); // TypeError: Illegal invocation
var foo = Object.create(window);
foo.alert(); // TypeError: Illegal invocation
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
