negative indexes on built-in objects sometimes return special properties

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P2
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Robert Sayre, Assigned: brendan)

Tracking

Trunk
Points:
---
Bug Flags:
blocking1.9.2 +

Firefox Tracking Flags

(status1.9.2 beta1-fixed, status1.9.1 .8-fixed)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
See attached URL for the stuff people have turned up. Secure JavaScript subsets consider this a problem.
(Reporter)

Comment 1

8 years ago
js> function args() { print(arguments[-3] == arguments.callee); print(typeof arguments[-3]); } 
js> args()
true
function
(Reporter)

Updated

8 years ago
Flags: blocking1.9.2+
KILL IT. KILL IT WITH FIRE.

Comment 3

8 years ago
Sure, remove it, and bye bye introspection when "use strict" will be considered, right? This was my last hope about your .callee decision ... gone!

You have [-2] and [-1] as well at this point, have a look.

Comment 4

8 years ago
P.S. my first comment in that post:
I wrote about arguments secrets few weeks ago but I tested performances as well. Length, as callee, cost definitively more to be exposed but if these property will be there with “use strict” they could save JS debug!
(Assignee)

Updated

8 years ago
Depends on: 507573
Blake says this is a P2.  Brendan, if this requires a beta, please mark as P2.
Priority: -- → P2
(Assignee)

Comment 6

8 years ago
This was fixed by the patch for bug 453728.

/be
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 453728]
(Reporter)

Comment 7

8 years ago
bug 453728 was fixed last year.
status1.9.2: --- → beta1-fixed
Whiteboard: [fixed by bug 453728]
(Assignee)

Comment 8

8 years ago
(In reply to comment #7)
> bug 453728 was fixed last year.

Sorry, pasted wrong bug #, as the "Depends on:" line shows; should be bug 507573.

There's some interest in a spot-fix to 1.9.1.x. Cc'ing dveditz, I'll attach the minimal patch in a bit.

/be
OS: Mac OS X → All
Hardware: x86 → All
(Assignee)

Comment 9

8 years ago
Created attachment 420403 [details] [diff] [review]
one-line fix

This is wanted on 1.9.1.x for the object-capability language verifiers targeting JS, so they don't have to blacklist indexing to avoid capability leaks.

/be
Attachment #420403 - Flags: review?(igor)

Updated

8 years ago
Attachment #420403 - Flags: review?(igor) → review+
(Assignee)

Updated

8 years ago
Attachment #420403 - Flags: approval1.9.1.8?
Comment on attachment 420403 [details] [diff] [review]
one-line fix

Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #420403 - Flags: approval1.9.1.8? → approval1.9.1.8+
status1.9.1: --- → wanted
Whiteboard: [needs 1.9.1 landing]
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6793f52d584b

/be
status1.9.1: wanted → .8-fixed
Whiteboard: [needs 1.9.1 landing]
You need to log in before you can comment on or make changes to this bug.