Closed Bug 1100936 Opened 9 years ago Closed 9 years ago

Handle various operations on revoked proxies

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox36 --- affected

People

(Reporter: decoder, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

(Keywords: crash, dev-doc-complete, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

revoked-proxy
5.60 KB, patch
efaust
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe):

var r = Proxy.revocable({}, {});
var p = r.proxy;
r.revoke();
p instanceof p;


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
138             return type_->clasp();
(gdb) bt
#0  js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
#1  0x085ec4d2 in js::DirectProxyHandler::hasInstance (this=0x958d1e4 <js::ScriptedDirectProxyHandler::singleton>, cx=0x95de230, proxy=..., v=..., bp=0xffffc52c)
    at js/src/proxy/DirectProxyHandler.cpp:106
#2  0x085ee9c1 in js::Proxy::hasInstance (cx=cx@entry=0x95de230, proxy=proxy@entry=..., v=v@entry=..., bp=bp@entry=0xffffc52c) at js/src/proxy/Proxy.cpp:473
#3  0x085eea36 in js::proxy_HasInstance (cx=0x95de230, proxy=..., v=..., bp=0xffffc858) at js/src/proxy/Proxy.cpp:801
#4  0x0861f85e in js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=..., bp=bp@entry=0xffffc858) at js/src/vm/Interpreter.cpp:687
#5  0x0864e7be in Interpret (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:3288
#6  0x08656661 in js::RunScript (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:432
#7  0x08665ee1 in js::ExecuteKernel (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., 
    result=result@entry=0x0) at js/src/vm/Interpreter.cpp:641
#8  0x08668087 in js::Execute (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:678
(gdb) info reg
eax            0x0      0
ecx            0x2      2
edx            0xffffc588       -14968
ebx            0x9596ff4        156856308
esp            0xffffc3a0       0xffffc3a0
ebp            0xffffc428       0xffffc428
esi            0xffffc3e0       -15392
edi            0xffffc3f8       -15368
eip            0x861f7ff        0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>
eflags         0x10202  [ IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
(gdb) x /i $pc
=> 0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>:     mov    0x4(%eax),%eax
A few more related issues:

---
var r = Proxy.revocable({}, {});
var p = r.proxy;
r.revoke();
Object.prototype.toString.call(p);
---
var r = Proxy.revocable(function(){}, {});
var p = r.proxy;
r.revoke();
Function.prototype.toString.call(p);
---
var r = Proxy.revocable(/./, {});
var p = r.proxy;
r.revoke();
RegExp.prototype.exec.call(p, "");
---
This is called "if ScriptedDirectProxyHandler doesn't override every single hook, it is buggy in the presence of revocable proxies".  I have a patch for some of this, not sure about all of it, tho.
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ef39de0b6232
user:        Eric Faust
date:        Tue Jul 22 14:10:31 2014 -0700
summary:     Bug 978279 - Implement revocation semantics. (r=jorendorff)

This iteration took 432.948 seconds to run.
Blocks: 1088640
Attached patch revoked-proxySplinter Review 

        Attachment #8557347 -
        Flags: review?(efaustbmo)

    
    

    
  
Comment on attachment 8557347 [details] [diff] [review]
revoked-proxy

Review of attachment 8557347 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with question below.

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +1137,5 @@
>  
> +const char *
> +ScriptedDirectProxyHandler::className(JSContext *cx, HandleObject proxy) const
> +{
> +    // Right now the caller is not prepared to handle failures.

ewwwwwwwww, but OK. Is this something we should file a followup and fix, or just a fact of life?

        Attachment #8557347 -
        Flags: review?(efaustbmo) → review+

    
    

    
  
We should probably fix it, I came across this already when working on CPOWs.

    
  
Assignee: jwalden+bmo → evilpies

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b4c5e8bcb819
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38

    
  
Summary: Crash [@ js::HasInstance] with Proxy → Handle various operations on revoked proxies

    
  
Depends on: 1140854

    
    

    
  
Function.prototype.toString changed behavior it now throws for function proxies, maybe we should mention this on MDN.
Keywords: dev-doc-needed

          You need to log in
          before you can comment on or make changes to this bug.