Closed
Bug 507453
Opened 15 years ago
Closed 15 years ago
negative indexes on built-in objects sometimes return special properties
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| status1.9.1 | --- | .8-fixed |
People
(Reporter: sayrer, Assigned: brendan)
References
()
Details
Attachments
(1 file)
|
834 bytes,
patch
|
igor
:
review+
dveditz
:
approval1.9.1.8+
|
Details | Diff | Splinter Review |
See attached URL for the stuff people have turned up. Secure JavaScript subsets consider this a problem.
|
Reporter | |
Comment 1•15 years ago
|
||
js> function args() { print(arguments[-3] == arguments.callee); print(typeof arguments[-3]); }
js> args()
true
function
|
|
Reporter | |
Updated•15 years ago
|
Flags: blocking1.9.2+
|
||
Comment 2•15 years ago
|
||
KILL IT. KILL IT WITH FIRE.
|
||
Comment 3•15 years ago
|
||
Sure, remove it, and bye bye introspection when "use strict" will be considered, right? This was my last hope about your .callee decision ... gone!
You have [-2] and [-1] as well at this point, have a look.
|
|
||
Comment 4•15 years ago
|
||
P.S. my first comment in that post:
I wrote about arguments secrets few weeks ago but I tested performances as well. Length, as callee, cost definitively more to be exposed but if these property will be there with “use strict” they could save JS debug!
|
||
Comment 5•15 years ago
|
||
Blake says this is a P2. Brendan, if this requires a beta, please mark as P2.
Priority: -- → P2
|
Assignee | |
Comment 6•15 years ago
|
||
This was fixed by the patch for bug 453728.
/be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Whiteboard: [fixed by bug 453728]
|
|
Reporter | |
Comment 7•15 years ago
|
||
bug 453728 was fixed last year.
status1.9.2:
--- → beta1-fixed
Whiteboard: [fixed by bug 453728]
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7)
> bug 453728 was fixed last year.
Sorry, pasted wrong bug #, as the "Depends on:" line shows; should be bug 507573.
There's some interest in a spot-fix to 1.9.1.x. Cc'ing dveditz, I'll attach the minimal patch in a bit.
/be
OS: Mac OS X → All
Hardware: x86 → All
|
|
Assignee | |
Comment 9•15 years ago
|
||
This is wanted on 1.9.1.x for the object-capability language verifiers targeting JS, so they don't have to blacklist indexing to avoid capability leaks.
/be
Attachment #420403 -
Flags: review?(igor)
|
||
Updated•15 years ago
|
Attachment #420403 -
Flags: review?(igor) → review+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #420403 -
Flags: approval1.9.1.8?
|
||
Comment 10•15 years ago
|
||
Comment on attachment 420403 [details] [diff] [review]
one-line fix
Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #420403 -
Flags: approval1.9.1.8? → approval1.9.1.8+
|
|
||
Updated•15 years ago
|
status1.9.1:
--- → wanted
|
|
||
Updated•15 years ago
|
Whiteboard: [needs 1.9.1 landing]
|
|
Assignee | |
Comment 11•15 years ago
|
||
Whiteboard: [needs 1.9.1 landing]
You need to log in
before you can comment on or make changes to this bug.
Description
•