Last Comment Bug 507453 - negative indexes on built-in objects sometimes return special properties
: negative indexes on built-in objects sometimes return special properties
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P2 normal (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
Mentors:
http://www.thespanner.co.uk/2009/07/1...
Depends on: 507573
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-30 12:05 PDT by Robert Sayre
Modified: 2010-01-11 17:26 PST (History)
12 users (show)
sayrer: blocking1.9.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta1-fixed
.8-fixed


Attachments
one-line fix (834 bytes, patch)
2010-01-06 13:42 PST, Brendan Eich [:brendan]
igor: review+
dveditz: approval1.9.1.8+
Details | Diff | Splinter Review

Description Robert Sayre 2009-07-30 12:05:53 PDT
See attached URL for the stuff people have turned up. Secure JavaScript subsets consider this a problem.
Comment 1 Robert Sayre 2009-07-30 12:07:00 PDT
js> function args() { print(arguments[-3] == arguments.callee); print(typeof arguments[-3]); } 
js> args()
true
function
Comment 2 Mike Shaver (:shaver -- probably not reading bugmail closely) 2009-07-30 14:41:10 PDT
KILL IT. KILL IT WITH FIRE.
Comment 3 Andrea Giammarchi 2009-07-31 08:47:58 PDT
Sure, remove it, and bye bye introspection when "use strict" will be considered, right? This was my last hope about your .callee decision ... gone!

You have [-2] and [-1] as well at this point, have a look.
Comment 4 Andrea Giammarchi 2009-07-31 08:48:52 PDT
P.S. my first comment in that post:
I wrote about arguments secrets few weeks ago but I tested performances as well. Length, as callee, cost definitively more to be exposed but if these property will be there with “use strict” they could save JS debug!
Comment 5 Damon Sicore (:damons) 2009-09-17 12:43:19 PDT
Blake says this is a P2.  Brendan, if this requires a beta, please mark as P2.
Comment 6 Brendan Eich [:brendan] 2009-09-23 14:25:39 PDT
This was fixed by the patch for bug 453728.

/be
Comment 7 Robert Sayre 2009-12-21 07:28:07 PST
bug 453728 was fixed last year.
Comment 8 Brendan Eich [:brendan] 2010-01-05 13:29:50 PST
(In reply to comment #7)
> bug 453728 was fixed last year.

Sorry, pasted wrong bug #, as the "Depends on:" line shows; should be bug 507573.

There's some interest in a spot-fix to 1.9.1.x. Cc'ing dveditz, I'll attach the minimal patch in a bit.

/be
Comment 9 Brendan Eich [:brendan] 2010-01-06 13:42:01 PST
Created attachment 420403 [details] [diff] [review]
one-line fix

This is wanted on 1.9.1.x for the object-capability language verifiers targeting JS, so they don't have to blacklist indexing to avoid capability leaks.

/be
Comment 10 Daniel Veditz [:dveditz] 2010-01-08 13:57:26 PST
Comment on attachment 420403 [details] [diff] [review]
one-line fix

Approved for 1.9.1.8, a=dveditz for release-drivers
Comment 11 Brendan Eich [:brendan] 2010-01-11 17:26:10 PST
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6793f52d584b

/be

Note You need to log in before you can comment on or make changes to this bug.