Last Comment Bug 507453 - negative indexes on built-in objects sometimes return special properties
: negative indexes on built-in objects sometimes return special properties
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P2 normal (vote)
: ---
Assigned To: Brendan Eich [:brendan]
: Jason Orendorff [:jorendorff]
Depends on: 507573
  Show dependency treegraph
Reported: 2009-07-30 12:05 PDT by Robert Sayre
Modified: 2010-01-11 17:26 PST (History)
12 users (show)
sayrer: blocking1.9.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

one-line fix (834 bytes, patch)
2010-01-06 13:42 PST, Brendan Eich [:brendan]
igor: review+
dveditz: approval1.9.1.8+
Details | Diff | Splinter Review

Description User image Robert Sayre 2009-07-30 12:05:53 PDT
See attached URL for the stuff people have turned up. Secure JavaScript subsets consider this a problem.
Comment 1 User image Robert Sayre 2009-07-30 12:07:00 PDT
js> function args() { print(arguments[-3] == arguments.callee); print(typeof arguments[-3]); } 
js> args()
Comment 2 User image Mike Shaver (:shaver -- probably not reading bugmail closely) 2009-07-30 14:41:10 PDT
Comment 3 User image Andrea Giammarchi 2009-07-31 08:47:58 PDT
Sure, remove it, and bye bye introspection when "use strict" will be considered, right? This was my last hope about your .callee decision ... gone!

You have [-2] and [-1] as well at this point, have a look.
Comment 4 User image Andrea Giammarchi 2009-07-31 08:48:52 PDT
P.S. my first comment in that post:
I wrote about arguments secrets few weeks ago but I tested performances as well. Length, as callee, cost definitively more to be exposed but if these property will be there with “use strict” they could save JS debug!
Comment 5 User image Damon Sicore (:damons) 2009-09-17 12:43:19 PDT
Blake says this is a P2.  Brendan, if this requires a beta, please mark as P2.
Comment 6 User image Brendan Eich [:brendan] 2009-09-23 14:25:39 PDT
This was fixed by the patch for bug 453728.

Comment 7 User image Robert Sayre 2009-12-21 07:28:07 PST
bug 453728 was fixed last year.
Comment 8 User image Brendan Eich [:brendan] 2010-01-05 13:29:50 PST
(In reply to comment #7)
> bug 453728 was fixed last year.

Sorry, pasted wrong bug #, as the "Depends on:" line shows; should be bug 507573.

There's some interest in a spot-fix to 1.9.1.x. Cc'ing dveditz, I'll attach the minimal patch in a bit.

Comment 9 User image Brendan Eich [:brendan] 2010-01-06 13:42:01 PST
Created attachment 420403 [details] [diff] [review]
one-line fix

This is wanted on 1.9.1.x for the object-capability language verifiers targeting JS, so they don't have to blacklist indexing to avoid capability leaks.

Comment 10 User image Daniel Veditz [:dveditz] 2010-01-08 13:57:26 PST
Comment on attachment 420403 [details] [diff] [review]
one-line fix

Approved for, a=dveditz for release-drivers
Comment 11 User image Brendan Eich [:brendan] 2010-01-11 17:26:10 PST


Note You need to log in before you can comment on or make changes to this bug.