Function.arguments in JSC

Mark S. Miller erights at google.com
Sun Sep 28 08:58:21 PDT 2014


On Sun, Sep 28, 2014 at 5:59 AM, Axel Rauschmayer <axel at rauschma.de> wrote:

> Out of historical curiosity: was `Function.arguments` ever useful for
> anything?
>

It was useful to illustrate some attacks <
http://research.google.com/pubs/pub37199.html>. If we had not successfully
prohibited arguments from non-sloppy functions, or if we had not
successfully prevented sloppy function from being accessible in SES, then
it would have been useful for actual attacks.



> Why not simply use `arguments`?
>

Because the attacks relied on obtaining the arguments from a function that
was not trying to disclose these arguments.




>
> On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com> wrote:
>
> I took a look at Google's internal code index for reference to
> Function.prototype.arguments and turned up many references to it
> (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only
> code used internally at Google (or was at one time) and not by any means
> an index of the entire web, but it does use the Closure Compiler and type
> information to accurately find references.  These are not just simply
> references to an "arguments" property but are references to the "arguments"
> property off of objects know to be functions.    These references roughly
> (from my quick perusal), were about 50% were V8 or similar unit tests, 25%
> references that could be trivially replaced with a reference to the active
> function's "arguments" variable, and 25% were doing something tricky
>  (Function.caller.arguments, someevent.handler.arguments).
>
> I'm sure you didn't expect that there would be zero breakage, but I wanted
> to give you a heads up that there might be more than you expect.
>
>
>
> On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote:
>
>> Hi all, as a heads up we’re going to be doing an experiment in our tree
>> to see if we can kill off the function.arguments property entirely.
>>
>> We’re super hopeful we can make it go away safely, and we’ll post a
>> follow up when we have some actual information about what happens.
>>
>> If you’re interested in following directly you can track the bug:
>> http://webkit.org/b/137167
>>
>> —Oliver
>>
>
> --
> Dr. Axel Rauschmayer
> axel at rauschma.de
> rauschma.de
>
>
>
>
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>


-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/f81b95bd/attachment.html>


More information about the es-discuss mailing list