var sandbox = evalcx(""); sandbox.trap = trap; sandbox.print = print; print(evalcx("var f = function(n){return n*n;}; trap(f,0,''); f(3);", sandbox)); Result: Error: can't convert f to an integer Expected: 9 This breaks the part of jsfunfuzz that makes sure trap() doesn't affect program behavior. The first bad revision is: changeset: 3aaaa21012c8 user: Jason Orendorff date: Wed Jun 23 16:35:10 2010 -0500 summary: Bug 563099 - Compartments and wrappers API. r=gal.

Hmm. This is calling the initial global compartment's trap function, but passing it a function defined in the sandbox. The trap function therefore sees a wrapper of f. This is the main problem. The other problem is that trap doesn't always generate sane error messages. You'll get the same bizarre "can't convert" error message from trap(new Date, 0, '')

As a workaround, write: var sandbox = newGlobal("new-compartment"); print(sandbox.eval("var f = function(n){return n*n}; trap(f,0,''); f(3);")); Globals created by newGlobal have all the shell builtins, including trap and print. Therefore the trap function being called here is same-compartment with f, so it works.

The workaround works in jsfunfuzz :) I found some new trap bugs: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=656381,656490,656555,656847,657524

trap() was removed in https://hg.mozilla.org/mozilla-central/rev/a5f2a50967b0 (bug 1031876)