Problems with strict-mode caller poisoning

Dave Fugate dave.fugate at gmail.com
Thu Nov 29 08:10:20 PST 2012


The intention was definitely to test step 2 which this particular test
doesn't hit.  Looks like other 'step 2' tests do though:

     6 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l6>
/**

     7 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l7>
 * @path ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js

     8 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l8>
 * @description Strict mode - checking access to strict function
caller from non-strict function (FunctionDeclaration includes strict
directive prologue)

     9 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l9>
 * @noStrict

    10 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l10>
 * @negative TypeError

    11 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l11>
 */

    12 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l12>

    13 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l13>

    14 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l14>
function f() {

    15 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l15>
    "use strict";

    16 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l16>
    return gNonStrict();

    17 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l17>
}

    18 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l18>
f();

    19 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l19>

    20 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l20>

    21 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l21>
function gNonStrict() {

    22 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l22>
    return gNonStrict.caller || gNonStrict.caller.throwTypeError;

    23 <http://hg.ecmascript.org/tests/test262/file/53c4ade82d14/test/suite/ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-2gs.js#l23>
}


The assumption being made here as you've pointed out is that 'caller' must
evaluate to 'true' for this to work.  Otherwise, the test will erroneously
fail if an implementer set 'caller' to true for some weird reason.

To play devil's advocate, is there any JS engine out there who sets
'caller' to anything other than a function object or is there a way to make
a function object evaluate to falsie?  I think at worst this test deserves
the '@bestPractice' decoration=)


On Wed, Nov 28, 2012 at 10:18 PM, Andreas Rossberg <rossberg at google.com>wrote:

> On 29 November 2012 06:06, Dave Fugate <dave.fugate at gmail.com> wrote:
> > The naming 'gNonStrict' here refers to the function not containing a "use
> > strict" declaration itself, not that it's subject to strict mode.  Sorry
> > this intent wasn't clearer.
> >
> > Section 15.3.5.4 step 2 in my copy of ES5 reads:
> >     If P is "caller" and v is a strict mode Function object, throw a
> > TypeError exception.
> >
> > Is something other than Function's [[Get]] really supposed to be called
> in
> > this snippet?  E.g., 13.2.19.b.  If so, seems like they're still valid
> test
> > cases, only they apply to step 1 of 15.3.5.4, not step 2?
>
> I suppose so, but was that the intention? Either way, there currently
> is no test that actually tests step 2.
>
> /Andreas
>
>
> > On Wed, Nov 28, 2012 at 4:43 PM, Andreas Rossberg <rossberg at google.com>
> > wrote:
> >>
> >> On 29 November 2012 00:16, Dave Fugate <dave.fugate at gmail.com> wrote:
> >> > Believe you're correct on the former, but perhaps not the latter=)
> >> >
> >> > E.g.:
> >> >      6 /**
> >> >      7    * @path ch15/15.3/15.3.5/15.3.5.4/15.3.5.4_2-1gs.js
> >> >      8    * @description Strict mode - checking access to strict
> >> > function
> >> > caller from strict function (FunctionDeclaration defined within strict
> >> > mode)
> >> >      9   * @onlyStrict
> >> >     10  * @negative TypeError
> >> >     11  */
> >> >     12
> >> >     13
> >> >     14 "use strict";
> >> >     15 function f() {
> >> >     16     return gNonStrict();
> >> >     17 }
> >> >     18 f();
> >> >     19
> >> >     20
> >> >     21 function gNonStrict() {
> >> >     22     return gNonStrict.caller;
> >> >     23 }
> >> >
> >> > is globally scoped strict mode and passes only when a TypeError gets
> >> > thrown
> >> > indicating strict mode is in effect.
> >>
> >> The bug with this test (and others) is that gNonStrict is _not_ a
> >> non-strict function, its name notwithstanding. Hence the test throws
> >> for the wrong reason, namely because strict-function.caller is a
> >> poisoned getter, not because of Sec 15.3.5.4, which it is supposed to
> >> test.
> >>
> >> /Andreas
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20121129/5f7d5291/attachment.html>


More information about the es-discuss mailing list