Function.arguments in JSC
Huzzah!
IIRC, nba.com had some JS in it many years ago. While still in development, V8 developers noticed it. I hope it's all gone.
Huzzah! IIRC, http://nba.com had some JS in it many years ago. While still in development, V8 developers noticed it. I hope it's all gone. /be Oliver Hunt wrote: > Hi all, as a heads up we’re going to be doing an experiment in our > tree to see if we can kill off the function.arguments property entirely. > > We’re super hopeful we can make it go away safely, and we’ll post a > follow up when we have some actual information about what happens. > > If you’re interested in following directly you can track the bug: > http://webkit.org/b/137167 > > —Oliver >
I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments).
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect.
I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments). I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote: > Hi all, as a heads up we’re going to be doing an experiment in our tree to > see if we can kill off the function.arguments property entirely. > > We’re super hopeful we can make it go away safely, and we’ll post a follow > up when we have some actual information about what happens. > > If you’re interested in following directly you can track the bug: > http://webkit.org/b/137167 > > —Oliver > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140927/6cc491f4/attachment.html>
Out of historical curiosity: was Function.arguments
ever useful for anything? Why not simply use arguments
?
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`? On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com> wrote: > I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments). > > I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. > > > > On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote: > Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely. > > We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens. > > If you’re interested in following directly you can track the bug: http://webkit.org/b/137167 > > —Oliver -- Dr. Axel Rauschmayer axel at rauschma.de rauschma.de -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/d9cb70cd/attachment.html>
On Sun, Sep 28, 2014 at 5:59 AM, Axel Rauschmayer <axel at rauschma.de> wrote:
Out of historical curiosity: was
Function.arguments
ever useful for anything?
It was useful to illustrate some attacks research.google.com/pubs/pub37199.html. If we had not successfully prohibited arguments from non-sloppy functions, or if we had not successfully prevented sloppy function from being accessible in SES, then it would have been useful for actual attacks.
Why not simply use
arguments
?
Because the attacks relied on obtaining the arguments from a function that was not trying to disclose these arguments.
On Sun, Sep 28, 2014 at 5:59 AM, Axel Rauschmayer <axel at rauschma.de> wrote: > Out of historical curiosity: was `Function.arguments` ever useful for > anything? > It was useful to illustrate some attacks < http://research.google.com/pubs/pub37199.html>. If we had not successfully prohibited arguments from non-sloppy functions, or if we had not successfully prevented sloppy function from being accessible in SES, then it would have been useful for actual attacks. > Why not simply use `arguments`? > Because the attacks relied on obtaining the arguments from a function that was not trying to disclose these arguments. > > On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com> wrote: > > I took a look at Google's internal code index for reference to > Function.prototype.arguments and turned up many references to it > (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only > code used internally at Google (or was at one time) and not by any means > an index of the entire web, but it does use the Closure Compiler and type > information to accurately find references. These are not just simply > references to an "arguments" property but are references to the "arguments" > property off of objects know to be functions. These references roughly > (from my quick perusal), were about 50% were V8 or similar unit tests, 25% > references that could be trivially replaced with a reference to the active > function's "arguments" variable, and 25% were doing something tricky > (Function.caller.arguments, someevent.handler.arguments). > > I'm sure you didn't expect that there would be zero breakage, but I wanted > to give you a heads up that there might be more than you expect. > > > > On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote: > >> Hi all, as a heads up we’re going to be doing an experiment in our tree >> to see if we can kill off the function.arguments property entirely. >> >> We’re super hopeful we can make it go away safely, and we’ll post a >> follow up when we have some actual information about what happens. >> >> If you’re interested in following directly you can track the bug: >> http://webkit.org/b/137167 >> >> —Oliver >> > > -- > Dr. Axel Rauschmayer > axel at rauschma.de > rauschma.de > > > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -- Cheers, --MarkM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/f81b95bd/attachment.html>
An HTML attachment was scrubbed... URL: esdiscuss/attachments/20140928/51fe34cd/attachment
An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/51fe34cd/attachment.html>
On Sun, Sep 28, 2014 at 12:23 PM, Alex Kocharin <alex at kocharin.ru> wrote:
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:
Fails on recursion. Function.{caller,arguments} are just broken. Good riddance.
On Sun, Sep 28, 2014 at 12:23 PM, Alex Kocharin <alex at kocharin.ru> wrote: > > Yes, it's a powerful meta-programming tool. I don't use it much, but it's > sad to see things like that going away from javascript. > > For example, it could allow to build stack traces without any support from > the engine. How do you like this one?: > Fails on recursion. Function.{caller,arguments} are just broken. Good riddance. > > ```js > function type(n) { return typeof n } > > function show_trace() { > var me = arguments.callee > > for (var i=0; i<10; i++) { > console.log((me.name || '<anonymous>') > + ' (' + [].slice.call(me.arguments).map(type) + ')') > me = me.caller > } > } > > function foo() { > show_trace() > } > > function bar() { > foo(1, 2, 3) > } > > bar('some string') > ``` > > ``` > $ node test.js > show_trace () > foo (number,number,number) > bar (string) > <anonymous> (object,function,object,string,string) > <anonymous> (string,string) > <anonymous> (object,string) > <anonymous> (string) > <anonymous> (string,object,boolean) > <anonymous> () > startup () > ``` > > > 28.09.2014, 13:59, "Axel Rauschmayer" <axel at rauschma.de>: > > Out of historical curiosity: was `Function.arguments` ever useful for > anything? Why not simply use `arguments`? > > On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com> wrote: > > I took a look at Google's internal code index for reference to > Function.prototype.arguments and turned up many references to it > (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only > code used internally at Google (or was at one time) and not by any means > an index of the entire web, but it does use the Closure Compiler and type > information to accurately find references. These are not just simply > references to an "arguments" property but are references to the "arguments" > property off of objects know to be functions. These references roughly > (from my quick perusal), were about 50% were V8 or similar unit tests, 25% > references that could be trivially replaced with a reference to the active > function's "arguments" variable, and 25% were doing something tricky > (Function.caller.arguments, someevent.handler.arguments). > > I'm sure you didn't expect that there would be zero breakage, but I wanted > to give you a heads up that there might be more than you expect. > > > > On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote: > > Hi all, as a heads up we’re going to be doing an experiment in our tree to > see if we can kill off the function.arguments property entirely. > > We’re super hopeful we can make it go away safely, and we’ll post a follow > up when we have some actual information about what happens. > > If you’re interested in following directly you can track the bug: > http://webkit.org/b/137167 > > —Oliver > > > -- > Dr. Axel Rauschmayer > axel at rauschma.de > rauschma.de > > > , > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -- Cheers, --MarkM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/21231b94/attachment-0001.html>
As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces.
Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have
function getStackTrace() {
try {
throw new Error
} catch (e) {
return e.stackTrace; // or whatever it is
}
}
As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces. Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have function getStackTrace() { try { throw new Error } catch (e) { return e.stackTrace; // or whatever it is } } —Oliver > On Sep 28, 2014, at 9:23 AM, Alex Kocharin <alex at kocharin.ru> wrote: > > > Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript. > > For example, it could allow to build stack traces without any support from the engine. How do you like this one?: > > ```js > function type(n) { return typeof n } > > function show_trace() { > var me = arguments.callee > > for (var i=0; i<10; i++) { > console.log((me.name || '<anonymous>') > + ' (' + [].slice.call(me.arguments).map(type) + ')') > me = me.caller > } > } > > function foo() { > show_trace() > } > > function bar() { > foo(1, 2, 3) > } > > bar('some string') > ``` > > ``` > $ node test.js > show_trace () > foo (number,number,number) > bar (string) > <anonymous> (object,function,object,string,string) > <anonymous> (string,string) > <anonymous> (object,string) > <anonymous> (string) > <anonymous> (string,object,boolean) > <anonymous> () > startup () > ``` > > > 28.09.2014, 13:59, "Axel Rauschmayer" <axel at rauschma.de>: >> Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`? >> >> On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com <mailto:concavelenz at gmail.com>> wrote: >> >>> I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments). >>> >>> I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. >>> >>> >>> >>> On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com <mailto:oliver at apple.com>> wrote: >>> Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely. >>> >>> We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens. >>> >>> If you’re interested in following directly you can track the bug: http://webkit.org/b/137167 <http://webkit.org/b/137167> >>> >>> —Oliver >> >> -- >> Dr. Axel Rauschmayer >> axel at rauschma.de <mailto:axel at rauschma.de> >> rauschma.de >> >> >> , >> _______________________________________________ >> es-discuss mailing list >> es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> >> https://mail.mozilla.org/listinfo/es-discuss <https://mail.mozilla.org/listinfo/es-discuss>_______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140928/af540014/attachment.html>
I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon.
I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon. -Tom On Sun, Sep 28, 2014 at 10:09 PM, Oliver Hunt <oliver at apple.com> wrote: > As MarkM said it break on recursion, but we’re also only killing > function.arguments, not (alas) function.caller so you can still build > “pseudo” stack traces. > > Note that neither .arguments nor .caller work in strict mode functions > (they’re specified to throw), and all engines build real stack traces on > exceptions nowadays, so presumably you could have > function getStackTrace() { > try { > throw new Error > } catch (e) { > return e.stackTrace; // or whatever it is > } > } > > —Oliver > > On Sep 28, 2014, at 9:23 AM, Alex Kocharin <alex at kocharin.ru> wrote: > > > Yes, it's a powerful meta-programming tool. I don't use it much, but it's > sad to see things like that going away from javascript. > > For example, it could allow to build stack traces without any support from > the engine. How do you like this one?: > > ```js > function type(n) { return typeof n } > > function show_trace() { > var me = arguments.callee > > for (var i=0; i<10; i++) { > console.log((me.name || '<anonymous>') > + ' (' + [].slice.call(me.arguments).map(type) + ')') > me = me.caller > } > } > > function foo() { > show_trace() > } > > function bar() { > foo(1, 2, 3) > } > > bar('some string') > ``` > > ``` > $ node test.js > show_trace () > foo (number,number,number) > bar (string) > <anonymous> (object,function,object,string,string) > <anonymous> (string,string) > <anonymous> (object,string) > <anonymous> (string) > <anonymous> (string,object,boolean) > <anonymous> () > startup () > ``` > > > 28.09.2014, 13:59, "Axel Rauschmayer" <axel at rauschma.de>: > > Out of historical curiosity: was `Function.arguments` ever useful for > anything? Why not simply use `arguments`? > > On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com> wrote: > > I took a look at Google's internal code index for reference to > Function.prototype.arguments and turned up many references to it > (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only > code used internally at Google (or was at one time) and not by any means > an index of the entire web, but it does use the Closure Compiler and type > information to accurately find references. These are not just simply > references to an "arguments" property but are references to the "arguments" > property off of objects know to be functions. These references roughly > (from my quick perusal), were about 50% were V8 or similar unit tests, 25% > references that could be trivially replaced with a reference to the active > function's "arguments" variable, and 25% were doing something tricky > (Function.caller.arguments, someevent.handler.arguments). > > I'm sure you didn't expect that there would be zero breakage, but I wanted > to give you a heads up that there might be more than you expect. > > > > On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com> wrote: > > Hi all, as a heads up we’re going to be doing an experiment in our tree to > see if we can kill off the function.arguments property entirely. > > We’re super hopeful we can make it go away safely, and we’ll post a follow > up when we have some actual information about what happens. > > If you’re interested in following directly you can track the bug: > http://webkit.org/b/137167 > > —Oliver > > > -- > Dr. Axel Rauschmayer > axel at rauschma.de > rauschma.de > > > , > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141015/2234a73d/attachment-0001.html>
We haven’t seen any real problems yet — function.arguments returns a fake arguments object with no access to the parameters and that seems to keep sites happy.
—Oliver
We haven’t seen any real problems yet — function.arguments returns a fake arguments object with no access to the parameters and that seems to keep sites happy. —Oliver > On Oct 15, 2014, at 11:52 AM, Tom Schuster <tom at schuster.me> wrote: > > I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon. > > -Tom > > On Sun, Sep 28, 2014 at 10:09 PM, Oliver Hunt <oliver at apple.com <mailto:oliver at apple.com>> wrote: > As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces. > > Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have > function getStackTrace() { > try { > throw new Error > } catch (e) { > return e.stackTrace; // or whatever it is > } > } > > —Oliver > >> On Sep 28, 2014, at 9:23 AM, Alex Kocharin <alex at kocharin.ru <mailto:alex at kocharin.ru>> wrote: >> >> >> Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript. >> >> For example, it could allow to build stack traces without any support from the engine. How do you like this one?: >> >> ```js >> function type(n) { return typeof n } >> >> function show_trace() { >> var me = arguments.callee >> >> for (var i=0; i<10; i++) { >> console.log((me.name <http://me.name/> || '<anonymous>') >> + ' (' + [].slice.call(me.arguments).map(type) + ')') >> me = me.caller >> } >> } >> >> function foo() { >> show_trace() >> } >> >> function bar() { >> foo(1, 2, 3) >> } >> >> bar('some string') >> ``` >> >> ``` >> $ node test.js >> show_trace () >> foo (number,number,number) >> bar (string) >> <anonymous> (object,function,object,string,string) >> <anonymous> (string,string) >> <anonymous> (object,string) >> <anonymous> (string) >> <anonymous> (string,object,boolean) >> <anonymous> () >> startup () >> ``` >> >> >> 28.09.2014, 13:59, "Axel Rauschmayer" <axel at rauschma.de <mailto:axel at rauschma.de>>: >>> Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`? >>> >>> On Sep 28, 2014, at 6:51 , John Lenz <concavelenz at gmail.com <mailto:concavelenz at gmail.com>> wrote: >>> >>>> I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc). This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references. These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions. These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky (Function.caller.arguments, someevent.handler.arguments). >>>> >>>> I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. >>>> >>>> >>>> >>>> On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <oliver at apple.com <mailto:oliver at apple.com>> wrote: >>>> Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely. >>>> >>>> We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens. >>>> >>>> If you’re interested in following directly you can track the bug: http://webkit.org/b/137167 <http://webkit.org/b/137167> >>>> >>>> —Oliver >>> >>> -- >>> Dr. Axel Rauschmayer >>> axel at rauschma.de <mailto:axel at rauschma.de> >>> rauschma.de <http://rauschma.de/> >>> >>> , >>> _______________________________________________ >>> es-discuss mailing list >>> es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> >>> https://mail.mozilla.org/listinfo/es-discuss <https://mail.mozilla.org/listinfo/es-discuss>_______________________________________________ >> es-discuss mailing list >> es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> >> https://mail.mozilla.org/listinfo/es-discuss <https://mail.mozilla.org/listinfo/es-discuss> > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org <mailto:es-discuss at mozilla.org> > https://mail.mozilla.org/listinfo/es-discuss <https://mail.mozilla.org/listinfo/es-discuss> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141015/1dc299f8/attachment.html>
as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
If you’re interested in following directly you can track the bug: webkit.org/b/137167