Function.arguments in JSC

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Function.arguments in JSC

Oliver Hunt-2
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.

We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.

If you’re interested in following directly you can track the bug: http://webkit.org/b/137167

—Oliver


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Brendan Eich-2
Huzzah!

IIRC, http://nba.com had some JS in it many years ago. While still in
development, V8 developers noticed it. I hope it's all gone.

/be

Oliver Hunt wrote:

> Hi all, as a heads up we’re going to be doing an experiment in our
> tree to see if we can kill off the function.arguments property entirely.
>
> We’re super hopeful we can make it go away safely, and we’ll post a
> follow up when we have some actual information about what happens.
>
> If you’re interested in following directly you can track the bug:
> http://webkit.org/b/137167
>
> —Oliver
>
_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

John Lenz-4
In reply to this post by Oliver Hunt-2
I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    

I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 

  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.

We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.

If you’re interested in following directly you can track the bug: http://webkit.org/b/137167

—Oliver


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss



_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Axel Rauschmayer
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    

I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 

  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.

We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.

If you’re interested in following directly you can track the bug: http://webkit.org/b/137167

—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de




_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Mark S. Miller-2
On Sun, Sep 28, 2014 at 5:59 AM, Axel Rauschmayer <[hidden email]> wrote:
Out of historical curiosity: was `Function.arguments` ever useful for anything?

It was useful to illustrate some attacks <http://research.google.com/pubs/pub37199.html>. If we had not successfully prohibited arguments from non-sloppy functions, or if we had not successfully prevented sloppy function from being accessible in SES, then it would have been useful for actual attacks.

 
Why not simply use `arguments`?

Because the attacks relied on obtaining the arguments from a function that was not trying to disclose these arguments.


 

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    

I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 

  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.

We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.

If you’re interested in following directly you can track the bug: http://webkit.org/b/137167

—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de




_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss




--
    Cheers,
    --MarkM

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Alex Kocharin
In reply to this post by Axel Rauschmayer
 
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
 
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:
 
```js
function type(n) { return typeof n }
 
function show_trace() {
  var me = arguments.callee
 
  for (var i=0; i<10; i++) {
    console.log((me.name || '<anonymous>')
      + ' (' + [].slice.call(me.arguments).map(type) + ')')
    me = me.caller
  }
}
 
function foo() {
  show_trace()
}
 
function bar() {
  foo(1, 2, 3)
}
 
bar('some string')
```
 
```
$ node test.js 
show_trace ()
foo (number,number,number)
bar (string)
<anonymous> (object,function,object,string,string)
<anonymous> (string,string)
<anonymous> (object,string)
<anonymous> (string)
<anonymous> (string,object,boolean)
<anonymous> ()
startup ()
```
 
 
28.09.2014, 13:59, "Axel Rauschmayer" <[hidden email]>:
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    
 
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 
 
  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
 
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
 
If you’re interested in following directly you can track the bug: http://webkit.org/b/137167
 
—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de


,

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Mark S. Miller-2


On Sun, Sep 28, 2014 at 12:23 PM, Alex Kocharin <[hidden email]> wrote:
 
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
 
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:

Fails on recursion. Function.{caller,arguments} are just broken. Good riddance.


 
 
```js
function type(n) { return typeof n }
 
function show_trace() {
  var me = arguments.callee
 
  for (var i=0; i<10; i++) {
    console.log((me.name || '<anonymous>')
      + ' (' + [].slice.call(me.arguments).map(type) + ')')
    me = me.caller
  }
}
 
function foo() {
  show_trace()
}
 
function bar() {
  foo(1, 2, 3)
}
 
bar('some string')
```
 
```
$ node test.js 
show_trace ()
foo (number,number,number)
bar (string)
<anonymous> (object,function,object,string,string)
<anonymous> (string,string)
<anonymous> (object,string)
<anonymous> (string)
<anonymous> (string,object,boolean)
<anonymous> ()
startup ()
```
 
 
28.09.2014, 13:59, "Axel Rauschmayer" <[hidden email]>:
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    
 
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 
 
  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
 
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
 
If you’re interested in following directly you can track the bug: http://webkit.org/b/137167
 
—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de


,

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss




--
    Cheers,
    --MarkM

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Oliver Hunt-2
In reply to this post by Alex Kocharin
As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces.

Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have 
function getStackTrace() {
    try {
        throw new Error
    } catch (e) {
        return e.stackTrace; // or whatever it is
    } 
}

—Oliver

On Sep 28, 2014, at 9:23 AM, Alex Kocharin <[hidden email]> wrote:

 
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
 
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:
 
```js
function type(n) { return typeof n }
 
function show_trace() {
  var me = arguments.callee
 
  for (var i=0; i<10; i++) {
    console.log((me.name || '<anonymous>')
      + ' (' + [].slice.call(me.arguments).map(type) + ')')
    me = me.caller
  }
}
 
function foo() {
  show_trace()
}
 
function bar() {
  foo(1, 2, 3)
}
 
bar('some string')
```
 
```
$ node test.js 
show_trace ()
foo (number,number,number)
bar (string)
<anonymous> (object,function,object,string,string)
<anonymous> (string,string)
<anonymous> (object,string)
<anonymous> (string)
<anonymous> (string,object,boolean)
<anonymous> ()
startup ()
```
 
 
28.09.2014, 13:59, "Axel Rauschmayer" <[hidden email]>:
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    
 
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 
 
  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
 
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
 
If you’re interested in following directly you can track the bug: http://webkit.org/b/137167
 
—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de


,

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Tom Schuster
I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon.

-Tom

On Sun, Sep 28, 2014 at 10:09 PM, Oliver Hunt <[hidden email]> wrote:
As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces.

Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have 
function getStackTrace() {
    try {
        throw new Error
    } catch (e) {
        return e.stackTrace; // or whatever it is
    } 
}

—Oliver

On Sep 28, 2014, at 9:23 AM, Alex Kocharin <[hidden email]> wrote:

 
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
 
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:
 
```js
function type(n) { return typeof n }
 
function show_trace() {
  var me = arguments.callee
 
  for (var i=0; i<10; i++) {
    console.log((me.name || '<anonymous>')
      + ' (' + [].slice.call(me.arguments).map(type) + ')')
    me = me.caller
  }
}
 
function foo() {
  show_trace()
}
 
function bar() {
  foo(1, 2, 3)
}
 
bar('some string')
```
 
```
$ node test.js 
show_trace ()
foo (number,number,number)
bar (string)
<anonymous> (object,function,object,string,string)
<anonymous> (string,string)
<anonymous> (object,string)
<anonymous> (string)
<anonymous> (string,object,boolean)
<anonymous> ()
startup ()
```
 
 
28.09.2014, 13:59, "Axel Rauschmayer" <[hidden email]>:
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    
 
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 
 
  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
 
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
 
If you’re interested in following directly you can track the bug: http://webkit.org/b/137167
 
—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de


,

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss



_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Function.arguments in JSC

Oliver Hunt-2
We haven’t seen any real problems yet — function.arguments returns a fake arguments object with no access to the parameters and that seems to keep sites happy.

—Oliver

On Oct 15, 2014, at 11:52 AM, Tom Schuster <[hidden email]> wrote:

I am curious about how this going. Did you observe any breakage? I will probably look into at least adding a warning for this in Firefox very soon.

-Tom

On Sun, Sep 28, 2014 at 10:09 PM, Oliver Hunt <[hidden email]> wrote:
As MarkM said it break on recursion, but we’re also only killing function.arguments, not (alas) function.caller so you can still build “pseudo” stack traces.

Note that neither .arguments nor .caller work in strict mode functions (they’re specified to throw), and all engines build real stack traces on exceptions nowadays, so presumably you could have 
function getStackTrace() {
    try {
        throw new Error
    } catch (e) {
        return e.stackTrace; // or whatever it is
    } 
}

—Oliver

On Sep 28, 2014, at 9:23 AM, Alex Kocharin <[hidden email]> wrote:

 
Yes, it's a powerful meta-programming tool. I don't use it much, but it's sad to see things like that going away from javascript.
 
For example, it could allow to build stack traces without any support from the engine. How do you like this one?:
 
```js
function type(n) { return typeof n }
 
function show_trace() {
  var me = arguments.callee
 
  for (var i=0; i<10; i++) {
    console.log((me.name || '<anonymous>')
      + ' (' + [].slice.call(me.arguments).map(type) + ')')
    me = me.caller
  }
}
 
function foo() {
  show_trace()
}
 
function bar() {
  foo(1, 2, 3)
}
 
bar('some string')
```
 
```
$ node test.js 
show_trace ()
foo (number,number,number)
bar (string)
<anonymous> (object,function,object,string,string)
<anonymous> (string,string)
<anonymous> (object,string)
<anonymous> (string)
<anonymous> (string,object,boolean)
<anonymous> ()
startup ()
```
 
 
28.09.2014, 13:59, "Axel Rauschmayer" <[hidden email]>:
Out of historical curiosity: was `Function.arguments` ever useful for anything? Why not simply use `arguments`?

On Sep 28, 2014, at 6:51 , John Lenz <[hidden email]> wrote:

I took a look at Google's internal code index for reference to Function.prototype.arguments and turned up many references to it (PhpMyAdmin, some Intel benchmark, some internal code, etc).  This is only code used internally at Google (or was at one time) and not by any means an index of the entire web, but it does use the Closure Compiler and type information to accurately find references.  These are not just simply references to an "arguments" property but are references to the "arguments" property off of objects know to be functions.    These references roughly (from my quick perusal), were about 50% were V8 or similar unit tests, 25% references that could be trivially replaced with a reference to the active function's "arguments" variable, and 25% were doing something tricky  (Function.caller.arguments, someevent.handler.arguments).    
 
I'm sure you didn't expect that there would be zero breakage, but I wanted to give you a heads up that there might be more than you expect. 
 
  

On Sat, Sep 27, 2014 at 11:38 AM, Oliver Hunt <[hidden email]> wrote:
Hi all, as a heads up we’re going to be doing an experiment in our tree to see if we can kill off the function.arguments property entirely.
 
We’re super hopeful we can make it go away safely, and we’ll post a follow up when we have some actual information about what happens.
 
If you’re interested in following directly you can track the bug: http://webkit.org/b/137167
 
—Oliver

-- 
Dr. Axel Rauschmayer
[hidden email]
rauschma.de


,

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss


_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss




_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss