[v8-dev] Re: Issue 222 in v8: Arguments object is copied on each access using Function.arguments.

[codesite-noreply via v8-dev]

Comment #12 on issue 222 by krinklem...@gmail.com: Arguments object is  
copied on each access using Function.arguments.
https://code.google.com/p/v8/issues/detail?id=222
The issue of lazy initialisation of the Arguments object also manifests a  
security problem.

In normal execution, the local 'arguments' object allows manipulation in a  
way that affects the local scope's parameter variables.  
The 'functionName.arguments' object, especially when accessed from outside  
the current scope, is notably different in that its modifications do not  
affect the variables in the local scope.

However, there are a number of interesting aspects to this bug that change  
its behaviour. I can reproduce the following set of instructions in the  
latest Chromium dev 44.0.2399.0 (uses V8 4.4.63).

        function foo( x ) {
                // Uncomment the following line to change the behaviour:
                //arguments;
                bar();
                console.log( x );
        }
        function bar( y ) {
                foo.arguments[0] = 1;
        }
        foo( 3 ); // Okay. Logs "3"

This produces "3" because Function#arguments is not allowed to modify the  
foo's current execution scope. However due to this optimisation in V8 to  
re-use the Arguments object, if 'arguments' is mentioned anywhere in the  
function body, it will actually *leak* the object and expose the local  
scope.


        function foo( x ) {
                // Uncomment the following line to change the behaviour:
                arguments;
                bar();
                console.log( x );
        }
        function bar( y ) {
                foo.arguments[0] = 1;
        }
        foo( 3 ); // Leak! Logs "1"

Thanks to David Chan (dive...@gmail.com) for uncovering that this only  
happens if V8 detects use of 'arguments' in the functions at parse time,  
not run time.

Using 'arguments' inside eval() will not create this bug and result in the  
expected "3".

Using 'arguments' in if-false block will actually cause this bug and result  
in "1".


--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.