caller poison pills, revisited (Was: A few arrow function specification issues)

Mark S. Miller erights at
Mon Apr 23 13:16:23 PDT 2012

On Mon, Apr 23, 2012 at 11:15 AM, Brendan Eich <brendan at> wrote:

> Allen Wirfs-Brock wrote:
>> This raises the issue that ES5.1 overlooked poisoning caller/arguments
>> for Function.prototype.  Only function object created using the algorithm
>> in 13.2 have the the poison pill properties and Function.prototype is not
>> specified using 13.2.
> Function.prototype is special already:
> js> Function.prototype
> function () {}
> js> Function.prototype.prototype
> js>
> I think we did the right thing in not adding poisoned pills to it. Was
> there a capability leak involving Function.prototype that I missed?

As allowed by the spec, yes. Fortunately, this is securable on the latest
available dev versions of IE, FF, Chrome, Safari, and Opera. For some of
these, even the released version is already securable.

>From on
Chrome 19.0.1084.30


   [-] 29) All fine: Built in functions leak "caller".


   See Test Sbp_A10_T1<>


   [-] 30) All fine: Built in functions leak "arguments".


   See Test Sbp_A10_T2<>

visiting in
your browser will state whether your browser is securable. The diagnostic
on #29 and #30 will state whether this issue in particular is securable.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list