Closed
Bug 1267041
Opened 9 years ago
Closed 9 years ago
Setting Function.prototype.prototype causes weird behaviour
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1263525
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | unaffected |
| firefox48 | --- | fixed |
People
(Reporter: hsteen, Unassigned)
References
()
Details
(Keywords: regression, sec-audit)
Attachments
(1 file)
|
523 bytes,
text/html
|
Details |
Kayak.com depends on among others the Dean Edwards base library. For whatever reason, Dean has this line of code among his utilities:
Function.prototype.prototype = {};
This triggers a regression that causes some weird behaviour in current nightly when other JS on the Kayak site try to use Array.prototype.slice.call(arguments) to get an array from an arguments object. What you get is classified as an Array but actually its __proto__ is Object and it doesn't have normal array methods. See TC.
Moved from https://webcompat.com/issues/2440
Ah, got it. ArraySpeciesCreate calls std_Array when |originalArray| is not array. However in the spec this doesn't call the default array constructor, but ArrayCreate. The default array constructor (22.1.1) however uses GetPrototypeFromConstructor, which would end up using this .prototype property.
So the summarize: Using std_Array is wrong, we should probably use something like NewDenseArray?
Flags: needinfo?(arai.unmht)
Arai-san mentions this should be turned s-s. (ref bug 1263525)
Group: javascript-core-security
|
||
Comment 4•9 years ago
|
||
This is basically a dupe of bug 1263525, but might be better keeping this bug to track the issue on the website.
now that we have an actual website that hit the issue, we should fix it quickly.
Flags: needinfo?(arai.unmht)
|
|
||
Updated•9 years ago
|
status-firefox47:
--- → unaffected
See Also: → 1263525
|
||
Updated•9 years ago
|
Keywords: regressionwindow-wanted → sec-audit
Hallvord, the fix from bug 1263525 landed on m-c on 04-26 (https://bugzilla.mozilla.org/show_bug.cgi?id=1263525#c13). Would you be able to validate that the issue with kayak.com is now fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(hsteen)
|
Reporter | |
Comment 6•9 years ago
|
||
Tested, works :) Let's call this a dup of https://bugzilla.mozilla.org/show_bug.cgi?id=1263525
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(hsteen)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•