Discuss
  • Function.arguments in JSC

Function.arguments in JSC

# Oliver Hunt (10 years ago)

as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.

We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.

If you’re interested in following directly you can track the bug: webkit.org/b/137167

# Brendan Eich (10 years ago)

Huzzah!

IIRC, nba.com had some JS in it many years ago. While still in development, V8 developers noticed it. I hope it's all gone.

# John Lenz (10 years ago)

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments).

I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect.

# Axel Rauschmayer (10 years ago)

Out of historical curiosity: was Function.arguments ever useful for anything? Why not simply use arguments?

# Mark S. Miller (10 years ago)

On Sun, Sep 28, 2014 at 5:59 AM, Axel Rauschmayer <axel at rauschma.de> wrote:

Out of historical curiosity: was Function.arguments ever useful for anything?

It was useful to illustrate some attacks research.google.com/pubs/pub37199.html. If we had not successfully prohibited arguments from non-sloppy functions, or if we had not successfully prevented sloppy function from being accessible in SES, then it would have been useful for actual attacks.

Why not simply use arguments?

Because the attacks relied on obtaining the arguments from a function that was not trying to disclose these arguments.

# Alex Kocharin (10 years ago)

An HTML attachment was scrubbed... URL: esdiscuss/attachments/20140928/51fe34cd/attachment

# Mark S. Miller (10 years ago)

On Sun, Sep 28, 2014 at 12:23 PM, Alex Kocharin <alex at kocharin.ru> wrote:

Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.

For example, it could allow to build stack traces without any support from the engine. How do you like this one?:

Fails on recursion. Function.{caller,arguments} are just broken. Good riddance.

# Oliver Hunt (10 years ago)

As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces.

Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have

function getStackTrace() {
    try {
        throw new Error
    } catch (e) {
        return e.stackTrace; // or whatever it is
    } 
}
# Tom Schuster (10 years ago)

I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon.

# Oliver Hunt (10 years ago)

We haven’t seen any real problems yet — function.arguments returns a fake arguments object with no access to the parameters and that seems to keep sites happy.

—Oliver