Closed
Bug 1100936
Opened 10 years ago
Closed 10 years ago
Handle various operations on revoked proxies
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | affected |
People
(Reporter: decoder, Assigned: evilpies)
References
(Blocks 1 open bug)
Details
(Keywords: crash, dev-doc-complete, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
5.60 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe):
var r = Proxy.revocable({}, {});
var p = r.proxy;
r.revoke();
p instanceof p;
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
138 return type_->clasp();
(gdb) bt
#0 js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
#1 0x085ec4d2 in js::DirectProxyHandler::hasInstance (this=0x958d1e4 <js::ScriptedDirectProxyHandler::singleton>, cx=0x95de230, proxy=..., v=..., bp=0xffffc52c)
at js/src/proxy/DirectProxyHandler.cpp:106
#2 0x085ee9c1 in js::Proxy::hasInstance (cx=cx@entry=0x95de230, proxy=proxy@entry=..., v=v@entry=..., bp=bp@entry=0xffffc52c) at js/src/proxy/Proxy.cpp:473
#3 0x085eea36 in js::proxy_HasInstance (cx=0x95de230, proxy=..., v=..., bp=0xffffc858) at js/src/proxy/Proxy.cpp:801
#4 0x0861f85e in js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=..., bp=bp@entry=0xffffc858) at js/src/vm/Interpreter.cpp:687
#5 0x0864e7be in Interpret (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:3288
#6 0x08656661 in js::RunScript (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:432
#7 0x08665ee1 in js::ExecuteKernel (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=...,
result=result@entry=0x0) at js/src/vm/Interpreter.cpp:641
#8 0x08668087 in js::Execute (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:678
(gdb) info reg
eax 0x0 0
ecx 0x2 2
edx 0xffffc588 -14968
ebx 0x9596ff4 156856308
esp 0xffffc3a0 0xffffc3a0
ebp 0xffffc428 0xffffc428
esi 0xffffc3e0 -15392
edi 0xffffc3f8 -15368
eip 0x861f7ff 0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>
eflags 0x10202 [ IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /i $pc
=> 0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>: mov 0x4(%eax),%eax
|
||
Comment 1•10 years ago
|
||
A few more related issues:
---
var r = Proxy.revocable({}, {});
var p = r.proxy;
r.revoke();
Object.prototype.toString.call(p);
---
var r = Proxy.revocable(function(){}, {});
var p = r.proxy;
r.revoke();
Function.prototype.toString.call(p);
---
var r = Proxy.revocable(/./, {});
var p = r.proxy;
r.revoke();
RegExp.prototype.exec.call(p, "");
---
|
||
Comment 2•10 years ago
|
||
This is called "if ScriptedDirectProxyHandler doesn't override every single hook, it is buggy in the presence of revocable proxies". I have a patch for some of this, not sure about all of it, tho.
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ef39de0b6232
user: Eric Faust
date: Tue Jul 22 14:10:31 2014 -0700
summary: Bug 978279 - Implement revocation semantics. (r=jorendorff)
This iteration took 432.948 seconds to run.
Attachment #8557347 -
Flags: review?(efaustbmo)
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8557347 [details] [diff] [review]
revoked-proxy
Review of attachment 8557347 [details] [diff] [review]:
-----------------------------------------------------------------
r=me with question below.
::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +1137,5 @@
>
> +const char *
> +ScriptedDirectProxyHandler::className(JSContext *cx, HandleObject proxy) const
> +{
> + // Right now the caller is not prepared to handle failures.
ewwwwwwwww, but OK. Is this something we should file a followup and fix, or just a fact of life?
Attachment #8557347 -
Flags: review?(efaustbmo) → review+
We should probably fix it, I came across this already when working on CPOWs.
|
||
Comment 10•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Summary: Crash [@ js::HasInstance] with Proxy → Handle various operations on revoked proxies
|
Assignee | |
Comment 13•10 years ago
|
||
Function.prototype.toString changed behavior it now throws for function proxies, maybe we should mention this on MDN.
Keywords: dev-doc-needed
|
||
Comment 14•10 years ago
|
||
Thanks for setting ddn here!
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/toString
https://developer.mozilla.org/en-US/Firefox/Releases/38#JavaScript
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•