1405717 - Check if wrapWithProto can be made fuzzing-safe

Status: RESOLVED FIXED

(Core :: JavaScript Engine, enhancement, P3)

Description

[Christian Holler (:decoder)]

Apparently the testing function wrapWithProto is capable of covering some code in  js/src/proxy/Proxy.cpp that we cover with tests but not in fuzzing. The code in question is this:

http://searchfox.org/mozilla-central/rev/e62604a97286f49993eb29c493672c17c7398da9/js/src/proxy/Proxy.cpp#340


We have e.g. js/src/jit-test/tests/basic/bug842940.js that uses this and hits the mentioned code location. It seems that this wasn't always fuzzing-unsafe because bug 842940 itself is a fuzzing bug.

NI for jandem based on IRC conversation.

Comment 1

[Jan de Mooij [:jandem]]

So bug 1126105 made this fuzzing-unsafe, and added this comment:

"  Note: This is not fuzzing safe because it can be used to construct\n"
"        deeply nested wrapper chains that cannot exist in the wild."),

Apparently isCallable et al could run out of stack-space.

IMO making functions fuzzing-unsafe is a pretty big (and unfortunate) hammer - we can probably just check for this.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

This makes wrapWithProto fuzzing-safe again. It throws an exception when trying to wrap a wrapper to avoid the overrecursion issue. No tests rely on wrapping a wrapper.

Comment 3

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ad173cf46012
Make wrapWithProto fuzzing-safe. r=jwalden

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/ad173cf46012