Closed Bug 1267041 Opened 6 years ago Closed 6 years ago

Setting Function.prototype.prototype causes weird behaviour


(Core :: JavaScript Engine, defect, P2)

48 Branch



Tracking Status
firefox47 --- unaffected
firefox48 --- fixed


(Reporter: hsteen, Unassigned)




(Keywords: regression, sec-audit)


(1 file)

Attached file wc2440.htm - TC depends on among others the Dean Edwards base library. For whatever reason, Dean has this line of code among his utilities:

Function.prototype.prototype = {};

This triggers a regression that causes some weird behaviour in current nightly when other JS on the Kayak site try to use to get an array from an arguments object. What you get is classified as an Array but actually its __proto__ is Object and it doesn't have normal array methods. See TC.

Moved from
Ah, got it. ArraySpeciesCreate calls std_Array when |originalArray| is not array. However in the spec this doesn't call the default array constructor, but ArrayCreate. The default array constructor (22.1.1) however uses GetPrototypeFromConstructor, which would end up using this .prototype property. 
So the summarize: Using std_Array is wrong, we should probably use something like NewDenseArray?
Flags: needinfo?(arai.unmht)
Sorry I forgot: Hallvord, thanks for this awesome test case!
Arai-san mentions this should be turned s-s. (ref bug 1263525)
Group: javascript-core-security
This is basically a dupe of bug 1263525, but might be better keeping this bug to track the issue on the website.
now that we have an actual website that hit the issue, we should fix it quickly.
Flags: needinfo?(arai.unmht)
See Also: → 1263525
Hallvord, the fix from bug 1263525 landed on m-c on 04-26 ( Would you be able to validate that the issue with is now fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(hsteen)
Tested, works :) Let's call this a dup of
Closed: 6 years ago
Flags: needinfo?(hsteen)
Resolution: --- → DUPLICATE
Duplicate of bug: 1263525
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.