Closed Bug 666371 Opened 13 years ago Closed 13 years ago

JavaScript aborts when trying to access arguments.callee.caller from the top element of a call stack

Categories

(Core :: JavaScript Engine, defect)

x86
Windows Server 2003
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 666587

People

(Reporter: ma1, Unassigned)

Details

Seems new in 7.0a1 (2011-06-22).

To reproduce, open http://evil.hackademix.net/callee.html with JavaScript enabled.

Expected result: an alert box saying "load done";
Actual result: an alert box saying "load failed";

The problem is the arguments.callee.caller.caller statement which is attempted inside a function called by an event handler installed via attribute parsing.

The JavaScript code is aborted immediately (like in an OM error), and the finally block is never reached.

Notice that the problem happens also in chrome code and also if the event handler is attached by other means, like could be seen by evaluating the following snippet in the Error Console and trying to open a link in a new tab:

top.opener.document.getElementById("context-openlinkintab").oncommand = top.opener.eval("function(){alert('here'); try { arguments.callee.caller } finally {alert('there')}}")
I think i tried to hard in Bug 640593. This could work, untested!
>if (!fp->prev())
>   return false;
>
>StackFrame *frame = js_GetScriptedCaller(cx, fp->prev());
>if (!frame || !frame->getValidCalleeObject(cx, vp))
>    return false;
to
>StackFrame *frame = (fp->prev()) ? js_GetScriptedCaller(cx, fp->prev()) : NULL;
>if (!frame)
>    return true;
>if (!frame->getValidCalleeObject(cx, vp))
>    return false;

Don't know maybe we just want to throw proper errors anyway. I don't care enough about ".caller" thought.
Simplified test case, this can be run anywhere a window context is available, and should alert "Done" but is silent because of this bug:
<script>
setTimeout(function(){ try { arguments.callee.caller } finally { alert("Done") }}, 0);
</script>

http://mxr.mozilla.org/mozilla-central/search?string=callee.caller&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-central
Summary: JavaScript aborts when trying to access the null caller of an event handler via arguments.callee.caller chain. → JavaScript aborts when trying to access arguments.callee.caller from the top element of a call stack
Could you get us a regression window on this using nightlies?
(In reply to comment #2)
> Simplified test case, this can be run anywhere a window context is
> available, and should alert "Done" but is silent because of this bug:
> <script>
> setTimeout(function(){ try { arguments.callee.caller } finally {
> alert("Done") }}, 0);
> </script>
> 
> http://mxr.mozilla.org/mozilla-central/search?string=callee.
> caller&find=&findi=&filter=^[^\0]*%24&hitlimit=&tree=mozilla-central

(In reply to comment #3)
> Could you get us a regression window on this using nightlies?

Regression window:
Works( an alert box "Done" appears ):
http://hg.mozilla.org/tracemonkey/rev/e59b1d2a2f79
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110617 Firefox/7.0a1 ID:20110617173815
Fails( no alert box ):
http://hg.mozilla.org/tracemonkey/rev/9ced98ee3aa9
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0a1) Gecko/20110618 Firefox/7.0a1 ID:20110618050724
Pushlog:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=e59b1d2a2f79&tochange=9ced98ee3aa9
Triggered by:
9ced98ee3aa9	Tom Schuster — Bug 640593 - Remove Function.arity and other cleanup around function properties r=jorendorff
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.