Closed Bug 1100936 Opened 6 years ago Closed 6 years ago

Handle various operations on revoked proxies


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
firefox36 --- affected


(Reporter: decoder, Assigned: evilpie)


(Blocks 1 open bug)


(Keywords: crash, dev-doc-complete, testcase, Whiteboard: [jsbugmon:update])

Crash Data


(1 file)

The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe):

var r = Proxy.revocable({}, {});
var p = r.proxy;
p instanceof p;


Program received signal SIGSEGV, Segmentation fault.
js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
138             return type_->clasp();
(gdb) bt
#0  js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=v@entry=..., bp=bp@entry=0xffffc45c) at js/src/jsobj.h:138
#1  0x085ec4d2 in js::DirectProxyHandler::hasInstance (this=0x958d1e4 <js::ScriptedDirectProxyHandler::singleton>, cx=0x95de230, proxy=..., v=..., bp=0xffffc52c)
    at js/src/proxy/DirectProxyHandler.cpp:106
#2  0x085ee9c1 in js::Proxy::hasInstance (cx=cx@entry=0x95de230, proxy=proxy@entry=..., v=v@entry=..., bp=bp@entry=0xffffc52c) at js/src/proxy/Proxy.cpp:473
#3  0x085eea36 in js::proxy_HasInstance (cx=0x95de230, proxy=..., v=..., bp=0xffffc858) at js/src/proxy/Proxy.cpp:801
#4  0x0861f85e in js::HasInstance (cx=cx@entry=0x95de230, obj=obj@entry=..., v=..., bp=bp@entry=0xffffc858) at js/src/vm/Interpreter.cpp:687
#5  0x0864e7be in Interpret (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:3288
#6  0x08656661 in js::RunScript (cx=cx@entry=0x95de230, state=...) at js/src/vm/Interpreter.cpp:432
#7  0x08665ee1 in js::ExecuteKernel (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., 
    result=result@entry=0x0) at js/src/vm/Interpreter.cpp:641
#8  0x08668087 in js::Execute (cx=cx@entry=0x95de230, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:678
(gdb) info reg
eax            0x0      0
ecx            0x2      2
edx            0xffffc588       -14968
ebx            0x9596ff4        156856308
esp            0xffffc3a0       0xffffc3a0
ebp            0xffffc428       0xffffc428
esi            0xffffc3e0       -15392
edi            0xffffc3f8       -15368
eip            0x861f7ff        0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>
eflags         0x10202  [ IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
(gdb) x /i $pc
=> 0x861f7ff <js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*)+31>:     mov    0x4(%eax),%eax
A few more related issues:

var r = Proxy.revocable({}, {});
var p = r.proxy;
var r = Proxy.revocable(function(){}, {});
var p = r.proxy;
var r = Proxy.revocable(/./, {});
var p = r.proxy;
r.revoke();, "");
This is called "if ScriptedDirectProxyHandler doesn't override every single hook, it is buggy in the presence of revocable proxies".  I have a patch for some of this, not sure about all of it, tho.
Assignee: nobody → jwalden+bmo
OS: Linux → All
Hardware: x86 → All
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Eric Faust
date:        Tue Jul 22 14:10:31 2014 -0700
summary:     Bug 978279 - Implement revocation semantics. (r=jorendorff)

This iteration took 432.948 seconds to run.
Duplicate of this bug: 1125044
Duplicate of this bug: 1125044
Blocks: 1088640
Attached patch revoked-proxySplinter Review
Attachment #8557347 - Flags: review?(efaustbmo)
Comment on attachment 8557347 [details] [diff] [review]

Review of attachment 8557347 [details] [diff] [review]:

r=me with question below.

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +1137,5 @@
> +const char *
> +ScriptedDirectProxyHandler::className(JSContext *cx, HandleObject proxy) const
> +{
> +    // Right now the caller is not prepared to handle failures.

ewwwwwwwww, but OK. Is this something we should file a followup and fix, or just a fact of life?
Attachment #8557347 - Flags: review?(efaustbmo) → review+
We should probably fix it, I came across this already when working on CPOWs.
Assignee: jwalden+bmo → evilpies
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Summary: Crash [@ js::HasInstance] with Proxy → Handle various operations on revoked proxies
Duplicate of this bug: 1124620
Duplicate of this bug: 1124616
Depends on: 1140854
Function.prototype.toString changed behavior it now throws for function proxies, maybe we should mention this on MDN.
Keywords: dev-doc-needed
Duplicate of this bug: 650299
You need to log in before you can comment on or make changes to this bug.