From 4e94cd8b08b7fe9324159a9838b72ecc60dc4afb Mon Sep 17 00:00:00 2001 From: "ricow@chromium.org" Date: Thu, 1 Sep 2011 11:09:11 +0000 Subject: [PATCH] Make arguments and caller always be null on native functions (fixes issue 1548 and issue 1643). With this change we follow Firefox, Safari has a slightly different approach where the property is just not there (at least according to GetOwnProperty). Review URL: http://codereview.chromium.org/7792054 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9093 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/v8natives.js | 9 ++++++ test/mjsunit/regress/regress-1548.js | 48 ++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 test/mjsunit/regress/regress-1548.js diff --git a/src/v8natives.js b/src/v8natives.js index 035fd2e2b..2039fea27 100644 --- a/src/v8natives.js +++ b/src/v8natives.js @@ -55,6 +55,15 @@ function InstallFunctions(object, attributes, functions) { var f = functions[i + 1]; %FunctionSetName(f, key); %FunctionRemovePrototype(f); + // We match firefox on this, but not Safari (which does not have the + // property at all). + %IgnoreAttributesAndSetProperty(f, "caller", + null, + DONT_ENUM | DONT_DELETE); + %IgnoreAttributesAndSetProperty(f, "arguments", + null, + DONT_ENUM | DONT_DELETE); + %SetProperty(object, key, f, attributes); %SetNativeFlag(f); } diff --git a/test/mjsunit/regress/regress-1548.js b/test/mjsunit/regress/regress-1548.js new file mode 100644 index 000000000..074007b91 --- /dev/null +++ b/test/mjsunit/regress/regress-1548.js @@ -0,0 +1,48 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Test that the caller and arguments objects are not available on native +// functions. + +function testfn(f) { return [1].map(f)[0]; } +function foo() { return [].map.caller; } +assertEquals(null, testfn(foo)); + +// Try to delete the caller property (to make sure that we can't get to the +// caller accessor on the prototype. +delete Array.prototype.map.caller; +assertEquals(null, testfn(foo)); + +// Redo tests with arguments object. +function testarguments(f) { return [1].map(f)[0]; } +function bar() { return [].map.arguments; } +assertEquals(null, testfn(bar)); + +// Try to delete the arguments property (to make sure that we can't get to the +// caller accessor on the prototype. +delete Array.prototype.map.arguments; +assertEquals(null, testarguments(bar)); -- 2.34.1