Last Comment Bug 652803 - [Harmony proxies] recursive fixing doesn't throw
: [Harmony proxies] recursive fixing doesn't throw
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P2 normal (vote)
: ---
Assigned To: Josh Matthews [:jdm]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 600677 655112
  Show dependency treegraph
Reported: 2011-04-26 07:57 PDT by Tom Van Cutsem
Modified: 2011-05-10 15:36 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Potential fix (1.05 KB, patch)
2011-04-27 11:17 PDT, Josh Matthews [:jdm]
no flags Details | Diff | Splinter Review
Check proxy operations before fixing object. (1.12 KB, patch)
2011-05-05 13:00 PDT, Josh Matthews [:jdm]
gal: review+
Details | Diff | Splinter Review

Description User image Tom Van Cutsem 2011-04-26 07:57:07 PDT
Recursively fixing a Harmony proxy should be short-circuited by throwing a TypeError, to safeguard against infinite loops. For instance:

    var proxy = Proxy.create({
      fix: function() {
        Object.preventExtensions(proxy); // triggers 'fix()' recursively
        return {};
    Object.preventExtensions(proxy); // triggers 'fix'

Result: InternalError: too much recursion
Expected: a TypeError

We reached consensus on this behavior in a TC39 meeting last year. Admittedly,
it's well hidden on the semantics page:

"Note: recursive fixing should be disallowed. If fix() is called on a proxy
handler while the same proxy is already being fixed (an earlier call to fix()
is already on the stack), a TypeError should be thrown. "
Comment 1 User image Josh Matthews [:jdm] 2011-04-27 11:17:48 PDT
Created attachment 528646 [details] [diff] [review]
Potential fix

So it looks like the code to do this properly is already present, but in the wrong spot. I have no way of accessing tryserver or a recent tree, so this patch may not apply or be correct. If someone (gal?) could try applying it and see if it solves the problem, I would be mighty appreciative.
Comment 2 User image Brendan Eich [:brendan] 2011-04-27 12:13:19 PDT
Andreas, want to own this till Josh returns?

Comment 3 User image Josh Matthews [:jdm] 2011-05-05 13:00:54 PDT
Created attachment 530403 [details] [diff] [review]
Check proxy operations before fixing object.

Tested; this works correctly.
Comment 4 User image Andreas Gal :gal 2011-05-05 14:37:33 PDT
Comment on attachment 530403 [details] [diff] [review]
Check proxy operations before fixing object.

Nice patch. Thanks!
Comment 5 User image Igor Bukanov 2011-05-06 13:40:34 PDT
We need a regression test for this bug. does not include one.
Comment 6 User image Chris Leary [:cdleary] (not checking bugmail) 2011-05-10 15:12:01 PDT
cdleary-bot mozilla-central merge info:
Note: not marking as fixed because fixed-in-tracemonkey is not present on the whiteboard.

Note You need to log in before you can comment on or make changes to this bug.