1286629 - Object.freeze does not prevent sloppy arguments object from mapping

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[bakkot]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce:

In the console or js shell, run:

(function(a) {
  Object.freeze(arguments);
  a = 1;
  return arguments[0] === 0;
})(0);



Actual results:

Should return true.

In particular, Object.freeze operates via SetIntegrityLevel (https://tc39.github.io/ecma262/#sec-setintegritylevel) which iterates over all properties and, for those which are not accessors, sets them to non-configurable *and non-writable* via DefineOwnProperty. DefineOwnProperty, for mapped arguments objects, says (in 9.4.4.2.8.b.ii; see https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc) that a non-writable descriptor should break the mapping between the arguments object and formal parameters. Instead, it is marked as non-writable and non-configurable, but the mapping remains.

This is a security issue: if you have a non-accessor property which is not configurable or writable, its value should not change.


Expected results:

Returns false.

Comment 1

[Tom S. (please needinfo tschuster)]

Attachment: Simple mapped arguments freeze test

Comment 2

[Tom S. (please needinfo tschuster)]

The actual problem here was fixed in bug 1175823.

Comment 3

[Tooru Fujisawa [:arai]]

Comment on attachment 8814858 [details] [diff] [review]
Simple mapped arguments freeze test

Review of attachment 8814858 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you for the explanation :D

Comment 4

[Pulsebot]

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ecd2e5b74e52
Test that Object.freeze prevents sloppy arguments object from mapping. r=arai

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/ecd2e5b74e52