Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflect.construct corrupts members of the arguments list (error 80020101) #6338

Closed
Andrew-Cottrell opened this issue Nov 28, 2019 · 3 comments · Fixed by #6341
Closed

Reflect.construct corrupts members of the arguments list (error 80020101) #6338

Andrew-Cottrell opened this issue Nov 28, 2019 · 3 comments · Fixed by #6341
Labels
Bug

Comments

@Andrew-Cottrell
Copy link

Andrew-Cottrell commented Nov 28, 2019
edited
Loading

When calling Reflect.construct with an argument list, the members of the argument list are corrupted.

> console.log(navigator.userAgent)
  Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Edge/18.17763

> var subject = [];
> console.log(subject.__proto__ === Array.prototype);
  true

> Reflect.construct(Object, [subject]);
> console.log(subject.__proto__ === Array.prototype);
  false

> console.log(subject)
  Could not complete the operation due to error 80020101.

In other browsers subject is not corrupted and true is logged both times.

This may be related to #3217.
@Andrew-Cottrell Andrew-Cottrell changed the title Reflect.construct corrupts members of the arguments list Reflect.construct corrupts members of the arguments list (error 80020101) Nov 28, 2019
@rhuanjl
Copy link
Collaborator

rhuanjl commented Nov 28, 2019

I've had a quick look at this with ChakraCore master and there is still an issue - specifically if you provide an array as the second parameter to Reflect.construct the prototype of the members of the array seems to get to changed to Object.prototype repro:

var subject = [];
print(subject.__proto__ === Array.prototype); // prints true
Reflect.construct(Object, [subject]);
print(subject.__proto__ === Array.prototype); // prints false
print(subject.__proto__ === Object.prototype); // prints true

I cannot quickly see where this is occurring but clearly needs to be fixed.

I can't be sure about the error 80020101 I think that's probably something to do with the Edge implementation of console.log and unrelated to this issue (it may not like printing objects perhaps try wrapping subject in JSON.stringify).

@zenparsing
Copy link
Contributor

I think the issue here is that the Object constructor thinks that it's being called as a result of a super() call because Reflect.construct has supplied a new.target and it sets the prototype based on that.

I'll try to come up with a fix shortly @rhuanjl, unless you want to take it on.

@rhuanjl
Copy link
Collaborator

rhuanjl commented Nov 28, 2019

Trying to think if calls being incorrectly assumed to be supers due to Reflect.construct could have other negative effects outside of the Object constructor.

If this just needs fixing for the Object constructor can probably special case it/make it work somehow; if it’s broader could be much messier.

@zenparsing zenparsing mentioned this issue Dec 2, 2019
Merged
@rhuanjl rhuanjl added the Bug label Mar 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Object constructor behavior when new target is provided zenparsing/ChakraCore
3 participants
@zenparsing @rhuanjl @Andrew-Cottrell