Closed Bug 1812905 Opened 1 year ago Closed 1 year ago

Getters/setters called inside self-hosted JS cannot be caught by debugger

Categories

(Core :: JavaScript Engine, task, P3)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox111 --- fixed

People

(Reporter: arai, Assigned: arai)

References

Details

Attachments

(1 file)

Bug 1812905 - Call onNativeCall for all getters and setters inside self-hosted JS. r?jandem!
48 bytes, text/x-phabricator-request
Details | Review

In bug 1609432, we've added CallReason::CallContent, to notify function call inside self-hosted JS to debugger.

https://searchfox.org/mozilla-central/rev/ef5dad8c11a556acd68ca3b9dcd77b226e0aaa29/js/src/vm/Interpreter.h#54-62

enum class CallReason {
  Call,
  // callContentFunction or constructContentFunction in self-hosted JS.
  CallContent,
  // Function.prototype.call or Function.prototype.apply.
  FunCall,
  Getter,
  Setter,
};

In bug 1806598, we're going to stop treating all getters non-effectful inside eager evaluation, which means we'll want to catch getter call inside self-hosted JS.

This is problematic in the following case:

RegExp.prototype[@@match] accesses "flags" property, which is by default RegExp.prototype.flags getter.

https://tc39.es/ecma262/#sec-regexp.prototype-@@match

22.2.6.8 RegExp.prototype [ @@match ] ( string )
...
  4. Let flags be ? ToString(? Get(rx, "flags")).

https://searchfox.org/mozilla-central/rev/ef5dad8c11a556acd68ca3b9dcd77b226e0aaa29/js/src/builtin/RegExp.js#125,156-157,162,164

function RegExpMatch(string) {
...
  return RegExpMatchSlowPath(rx, S);
}
...
function RegExpMatchSlowPath(rx, S) {
...
  var flags = ToString(rx.flags);

RegExp.prototype.flags getter accesses all flag propeties, e.g. global with Get operation.

https://tc39.es/ecma262/#sec-get-regexp.prototype.flags

22.2.6.4 get RegExp.prototype.flags
...
  6. Let global be ToBoolean(? Get(R, "global")).

https://searchfox.org/mozilla-central/rev/ef5dad8c11a556acd68ca3b9dcd77b226e0aaa29/js/src/builtin/RegExp.js#9,25

function $RegExpFlagsGetter() {
...
  if (R.global) {

Here, this Get operation is observable to web content if

  • RegExp.prototype.global getter is modified
  • this value R has global getter

So, if we don't expose the getter access inside self-hosted JS, RegExp.prototype[@@match] needs to be marked as effectful, even if it's non-effectful in most case.

Possible option here is to introduce JSOp::GetContentProp, with some notation in self-hosted JS to emit it,
and call onNativeCall hook if the property is a getter.

the other option is to just call onNativeCall for all getter/setter call inside self-hosted JS.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/24cc5069faf3
Call onNativeCall for all getters and setters inside self-hosted JS. r=jandem

Backed out for causing dt failures in devtools/client/webconsole/test/browser/browser_console_evaluation_context_selector.js

Backout link: https://hg.mozilla.org/integration/autoland/rev/c4af9a62fcca732c7d39ea8bc8cdd36c37c4b046

Push with failures

Failure log: TEST-UNEXPECTED-FAIL | devtools/client/webconsole/test/browser/browser_console_evaluation_context_selector.js | Test timed out

Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/6753d85742d9
Call onNativeCall for all getters and setters inside self-hosted JS. r=jandem

https://hg.mozilla.org/mozilla-central/rev/6753d85742d9

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: