1398816 - Function.prototype.caller leaks replacement function from asm.js HandleInstantiationFailure to content

Status: REOPENED

(Core :: JavaScript Engine: JIT, defect, P5)

Description

[André Bargull [:anba]]

Test case:
---
function fn(stdlib, foreign, buffer){
    "use asm";
    var values = new stdlib.Float64Array(buffer);
    function main() {
        return 0;
    }
    return {main: main};
};

var badstdlib = {
    Float64Array: function f() {
        var clonedFn = f.caller;
        print(clonedFn === fn);
    }
};
var foreign = {};
var buffer = new ArrayBuffer(2**16);

fn(badstdlib, foreign, buffer);
---

Expected: Prints "true"
Actual: Prints "false"

When asm.js linking fails, [1] creates a replacement function to proceed the call (or construct). This replacement function is an implementation detail and should probably not be accessible to content code.


[1] http://searchfox.org/mozilla-central/rev/00fa5dacedb925022f53d025121f1a919508e7ce/js/src/wasm/AsmJS.cpp#8074-8076

Comment 1

[Luke Wagner [:luke]]

Heh, yeah, this bug goes back to 2013; probably the 'fix' will be the removal of the asm.js optimization.  On the bright side, iirc, f.caller is not specified?

Comment 2

[André Bargull [:anba]]

(In reply to Luke Wagner [:luke] from comment #1)
> Heh, yeah, this bug goes back to 2013; probably the 'fix' will be the
> removal of the asm.js optimization.

Agreed, I don't think it's worthwhile to spend time fixing this issue. :-)

> On the bright side, iirc, f.caller is not specified?

Yes, it's not specified.

Comment 3

[Matthew Gaudet (he/him) [:mgaudet]]

This seems to be working now.

Comment 4

[André Bargull [:anba]]

It still prints false for me. Is my shell build too old?

Comment 5

[Matthew Gaudet (he/him) [:mgaudet]]

... Oh, I missed a warning message when I tested in devtools (no available wasm compiler); I too get false in the shell.