346593 - arguments.callee.toString().length gives a weird result?

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect)

Description

[Bojan Zdrnja]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 pango-text
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 pango-text

During investigation of an exploit I was deobfuscating some JavaScript programs. You can see the complete writeup at http://isc.sans.org/diary.php?storyid=1519.

Anyway, the following code:

<html>
<head>
    <script type="text/javascript">
    <!--

    function func(){var l = arguments.callee.toString().length;alert(l);}

    func();
    //-->
    </script>
</head>
</html>


On Firefox you get 81 as the result.
On Internet Explorer you get 69. If you manually count characters you will see that Internet Explorer seems to be right here, so this looks like a bug in Firefox.

Reproducible: Always

Steps to Reproduce:
1. Copy HTML into a file.
2. Open in Mozilla.
3.

Actual Results:  
You get 81, 69 seems to be the correct result.

Expected Results:  
69

Comment 1

[Nickolay_Ponomarev]

from ECMA-262:
"""
15.3.4.2 Function.prototype.toString ( )
An implementation-dependent representation of the function is returned. This representation has the
syntax of a FunctionDeclaration. Note in particular that the use and placement of white space, line
terminators, and semicolons within the representation string is implementation-dependent.
"""

That's why you get different results in spidermonkey and IE.