Last Comment Bug 652803 - [Harmony proxies] recursive fixing doesn't throw
: [Harmony proxies] recursive fixing doesn't throw
Status: RESOLVED FIXED
[fixed-in-tracemonkey]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P2 normal (vote)
: ---
Assigned To: Josh Matthews [:jdm]
:
Mentors:
Depends on:
Blocks: 600677 655112
  Show dependency treegraph
 
Reported: 2011-04-26 07:57 PDT by Tom Van Cutsem
Modified: 2011-05-10 15:36 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Potential fix (1.05 KB, patch)
2011-04-27 11:17 PDT, Josh Matthews [:jdm]
no flags Details | Diff | Review
Check proxy operations before fixing object. (1.12 KB, patch)
2011-05-05 13:00 PDT, Josh Matthews [:jdm]
gal: review+
Details | Diff | Review

Description Tom Van Cutsem 2011-04-26 07:57:07 PDT
Recursively fixing a Harmony proxy should be short-circuited by throwing a TypeError, to safeguard against infinite loops. For instance:

    var proxy = Proxy.create({
      fix: function() {
        Object.preventExtensions(proxy); // triggers 'fix()' recursively
        return {};
      }
    });
    Object.preventExtensions(proxy); // triggers 'fix'

Result: InternalError: too much recursion
Expected: a TypeError

We reached consensus on this behavior in a TC39 meeting last year. Admittedly,
it's well hidden on the semantics page:
<http://wiki.ecmascript.org/doku.php?id=harmony:proxies_semantics>

"Note: recursive fixing should be disallowed. If fix() is called on a proxy
handler while the same proxy is already being fixed (an earlier call to fix()
is already on the stack), a TypeError should be thrown. "
Comment 1 Josh Matthews [:jdm] 2011-04-27 11:17:48 PDT
Created attachment 528646 [details] [diff] [review]
Potential fix

So it looks like the code to do this properly is already present, but in the wrong spot. I have no way of accessing tryserver or a recent tree, so this patch may not apply or be correct. If someone (gal?) could try applying it and see if it solves the problem, I would be mighty appreciative.
Comment 2 Brendan Eich [:brendan] 2011-04-27 12:13:19 PDT
Andreas, want to own this till Josh returns?

/be
Comment 3 Josh Matthews [:jdm] 2011-05-05 13:00:54 PDT
Created attachment 530403 [details] [diff] [review]
Check proxy operations before fixing object.

Tested; this works correctly.
Comment 4 Andreas Gal :gal 2011-05-05 14:37:33 PDT
Comment on attachment 530403 [details] [diff] [review]
Check proxy operations before fixing object.

Nice patch. Thanks!
Comment 5 Igor Bukanov 2011-05-06 13:40:34 PDT
We need a regression test for this bug. http://hg.mozilla.org/tracemonkey/rev/6855db79531d does not include one.
Comment 6 Chris Leary [:cdleary] (not checking bugmail) 2011-05-10 15:12:01 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/6855db79531d
Note: not marking as fixed because fixed-in-tracemonkey is not present on the whiteboard.

Note You need to log in before you can comment on or make changes to this bug.