154854 2016-03-01 04:06:23 -0800 SIGSEGV in Proxy [[Get]] and [[Set]] recursion 2016-03-02 11:17:29 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 andre.bargull saam benjamin fpizlo ggaren gskachkov keith_miller mark.lam msaboff oliver saam sukolsak ysuzuki oldest_to_newest 1169412 0 andre.bargull 2016-03-01 04:06:23 -0800 Revision: r197396 Test case: --- var o = {}; var p = new Proxy(o, {}); Object.setPrototypeOf(o, p); p.x --- Output: --- Program received signal SIGSEGV, Segmentation fault. 0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head ( __t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193 193 _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); } (gdb) bt #0 0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head ( __t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193 #1 0x0000000000447b4d in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=...) at /usr/include/c++/5/tuple:827 #2 0x0000000000447b67 in std::get<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=std::tuple containing = {...}) at /usr/include/c++/5/tuple:839 #3 0x0000000000447b82 in std::unique_ptr<JSC::StructureIDTable::StructureOrOffset [], std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::get (this=0x7ffff0e010c0) at /usr/include/c++/5/bits/unique_ptr.h:542 #4 0x000000000043aad2 in JSC::StructureIDTable::table (this=0x7ffff0e010a8) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:65 #5 0x000000000043ab23 in JSC::StructureIDTable::get (this=0x7ffff0e010a8, structureID=1) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:86 #6 0x000000000044451d in JSC::JSCell::structure (this=0x7ffff0e58880) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102 #7 0x0000000000440a1d in JSC::Structure::materializePropertyMapIfNecessary (this=0x7ffff0e58880, vm=..., table=@0x7fffff7ff160: 0x7fffff7ff180) at ../../Source/JavaScriptCore/runtime/Structure.h:633 #8 0x0000000000445d0e in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642, hasInferredType=@0x7fffff7ff1c7: false) at ../../Source/JavaScriptCore/runtime/StructureInlines.h:98 #9 0x0000000000445c4a in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642) at ../../Source/JavaScriptCore/runtime/StructureInlines.h:89 #10 0x0000000000442212 in JSC::JSObject::getOwnNonIndexPropertySlot (this=0x7ffff0e43ec0, vm=..., structure=..., propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1106 #11 0x000000000044267d in JSC::JSObject::getPropertySlot (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1177 #12 0x0000000000442a7c in JSC::JSObject::get (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1231 #13 0x00007ffff6d34bfc in JSC::JSObject::getMethod (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, callData=..., callType=@0x7fffff7ff3fc: (JSC::CallTypeHost | JSC::CallTypeJS | unknown: 32764), ident=..., errorMessage=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2977 #14 0x00007ffff6dc1a6a in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:114 #15 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39 #16 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290 #17 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232 #18 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ff770) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101 #19 0x00007ffff6dc1aca in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:119 #20 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39 #21 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290 #22 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232 #23 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ffa30) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101 ... --- 1169749 1 saam 2016-03-01 22:51:46 -0800 Thanks for reporting this. 1169766 2 saam 2016-03-01 23:14:02 -0800 So it seems like recursion is the correct behavior here. We just need to detect when we've recursed too far and throw a stack overflow error. 1169770 3 272639 saam 2016-03-01 23:33:27 -0800 Created attachment 272639 patch 1169810 4 272639 ysuzuki 2016-03-02 06:14:20 -0800 Comment on attachment 272639 patch View in context: https://bugs.webkit.org/attachment.cgi?id=272639&action=review Interesting, nice catch! r=me > Source/JavaScriptCore/tests/stress/proxy-get-and-set-recursion-stack-overflow.js:18 > +} I suggest adding indexed get case. 1169873 5 saam 2016-03-02 11:17:29 -0800 landed in: http://trac.webkit.org/changeset/197457 272639 2016-03-01 23:33:27 -0800 2016-03-02 06:14:20 -0800 patch a-backup.diff text/plain 3928 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk3NDQ0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIxIEBA CisyMDE2LTAzLTAxICBTYWFtIGJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IFNJR1NFR1YgaW4gUHJveHkgW1tHZXRdXSBhbmQgW1tTZXRdXSByZWN1cnNpb24KKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1NDg1NAorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFdlIG5lZWQgdG8gYmUgYXdh cmUgb2YgdGhlIHBvc3NpYmlsaXR5IHRoYXQgdGhlIFZNCisgICAgICAgIG1heSByZWN1cnNlIGFu ZCB0aGF0IHdlIGNhbiBzdGFjayBvdmVyZmxvdy4KKworICAgICAgICAqIHJ1bnRpbWUvUHJveHlP YmplY3QuY3BwOgorICAgICAgICAoSlNDOjpwZXJmb3JtUHJveHlHZXQpOgorICAgICAgICAoSlND OjpQcm94eU9iamVjdDo6cGVyZm9ybVB1dCk6CisgICAgICAgICogdGVzdHMvc3RyZXNzL3Byb3h5 LWdldC1hbmQtc2V0LXJlY3Vyc2lvbi1zdGFjay1vdmVyZmxvdy5qczogQWRkZWQuCisgICAgICAg IChhc3NlcnQpOgorICAgICAgICAodGVzdFN0YWNrT3ZlcmZsb3dHZXQpOgorICAgICAgICAodGVz dFN0YWNrT3ZlcmZsb3dTZXQpOgorCiAyMDE2LTAzLTAxICBSeW9zdWtlIE5pd2EgIDxybml3YUB3 ZWJraXQub3JnPgogCiAgICAgICAgIFVucmV2aWV3ZWQuIFVwZGF0ZSB0aGUgc3RhdHVzIG9mIFBy b3h5IG9iamVjdHMgdG8gIkluIERldmVsb3BtZW50Ii4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9ydW50aW1lL1Byb3h5T2JqZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNj cmlwdENvcmUvcnVudGltZS9Qcm94eU9iamVjdC5jcHAJKHJldmlzaW9uIDE5NzQyOSkKKysrIFNv dXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL1Byb3h5T2JqZWN0LmNwcAkod29ya2luZyBjb3B5 KQpAQCAtODAsNiArODAsMTEgQEAgdm9pZCBQcm94eU9iamVjdDo6ZmluaXNoQ3JlYXRpb24oVk0m IHZtLAogc3RhdGljIEVuY29kZWRKU1ZhbHVlIHBlcmZvcm1Qcm94eUdldChFeGVjU3RhdGUqIGV4 ZWMsIEVuY29kZWRKU1ZhbHVlIHRoaXNWYWx1ZSwgUHJvcGVydHlOYW1lIHByb3BlcnR5TmFtZSkK IHsKICAgICBWTSYgdm0gPSBleGVjLT52bSgpOworICAgIGlmICghdm0uaXNTYWZlVG9SZWN1cnNl KCkpIHsKKyAgICAgICAgdGhyb3dTdGFja092ZXJmbG93RXJyb3IoZXhlYyk7CisgICAgICAgIHJl dHVybiBKU1ZhbHVlOjplbmNvZGUoSlNWYWx1ZSgpKTsKKyAgICB9CisKICAgICBKU09iamVjdCog dGhpc09iamVjdCA9IGpzQ2FzdDxKU09iamVjdCo+KEpTVmFsdWU6OmRlY29kZSh0aGlzVmFsdWUp KTsgLy8gVGhpcyBtaWdodCBiZSBhIHZhbHVlIHdoZXJlIHNvbWV3aGVyZSBpbiBfX3Byb3RvX18g Y2hhaW4gbGl2ZXMgYSBQcm94eU9iamVjdC4KICAgICBKU09iamVjdCogcHJveHlPYmplY3RBc09i amVjdCA9IHRoaXNPYmplY3Q7CiAgICAgLy8gRklYTUU6IG1ha2UgaXQgc28gdGhhdCBjdXN0b20g Z2V0dGVycyB0YWtlIGJvdGggdGhlIHx0aGlzfCB2YWx1ZSBhbmQgdGhlIHNsb3RCYXNlIChwcm9w ZXJ0eSBob2xkZXIpLgpAQCAtMzQ1LDYgKzM1MCwxMCBAQCB0ZW1wbGF0ZSA8dHlwZW5hbWUgUGVy Zm9ybURlZmF1bHRQdXRGdW5jCiB2b2lkIFByb3h5T2JqZWN0OjpwZXJmb3JtUHV0KEV4ZWNTdGF0 ZSogZXhlYywgSlNWYWx1ZSBwdXRWYWx1ZSwgSlNWYWx1ZSB0aGlzVmFsdWUsIFByb3BlcnR5TmFt ZSBwcm9wZXJ0eU5hbWUsIFBlcmZvcm1EZWZhdWx0UHV0RnVuY3Rpb24gcGVyZm9ybURlZmF1bHRQ dXQpCiB7CiAgICAgVk0mIHZtID0gZXhlYy0+dm0oKTsKKyAgICBpZiAoIXZtLmlzU2FmZVRvUmVj dXJzZSgpKSB7CisgICAgICAgIHRocm93U3RhY2tPdmVyZmxvd0Vycm9yKGV4ZWMpOworICAgICAg ICByZXR1cm47CisgICAgfQogCiAgICAgaWYgKHZtLnByb3BlcnR5TmFtZXMtPmlzUHJpdmF0ZU5h bWUoSWRlbnRpZmllcjo6ZnJvbVVpZCgmdm0sIHByb3BlcnR5TmFtZS51aWQoKSkpKQogICAgICAg ICByZXR1cm4gcGVyZm9ybURlZmF1bHRQdXQoKTsKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS90ZXN0cy9zdHJlc3MvcHJveHktZ2V0LWFuZC1zZXQtcmVjdXJzaW9uLXN0YWNrLW92ZXJmbG93 LmpzCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS90ZXN0cy9zdHJlc3MvcHJv eHktZ2V0LWFuZC1zZXQtcmVjdXJzaW9uLXN0YWNrLW92ZXJmbG93LmpzCShyZXZpc2lvbiAwKQor KysgU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9wcm94eS1nZXQtYW5kLXNldC1y ZWN1cnNpb24tc3RhY2stb3ZlcmZsb3cuanMJKHdvcmtpbmcgY29weSkKQEAgLTAsMCArMSw1MiBA QAorZnVuY3Rpb24gYXNzZXJ0KGIpIHsKKyAgICBpZiAoIWIpCisgICAgICAgIHRocm93IG5ldyBF cnJvcignYmFkIGFzc2VydGlvbicpOworfQorCitmdW5jdGlvbiB0ZXN0U3RhY2tPdmVyZmxvd0dl dCgpIHsKKyAgICBsZXQgdGhyZXcgPSBmYWxzZTsKKyAgICB0cnkgeworICAgICAgICBsZXQgbyA9 IHt9OworICAgICAgICBsZXQgcCA9IG5ldyBQcm94eShvLCB7fSk7CisgICAgICAgIE9iamVjdC5z ZXRQcm90b3R5cGVPZihvLCBwKTsKKyAgICAgICAgcC5hbnlGaWVsZDsKKyAgICB9IGNhdGNoKGUp IHsKKyAgICAgICAgdGhyZXcgPSB0cnVlOworICAgICAgICBhc3NlcnQoZS50b1N0cmluZygpID09 PSAiUmFuZ2VFcnJvcjogTWF4aW11bSBjYWxsIHN0YWNrIHNpemUgZXhjZWVkZWQuIik7CisgICAg fQorICAgIGFzc2VydCh0aHJldyk7Cit9CisKK2Z1bmN0aW9uIHRlc3RTdGFja092ZXJmbG93U2V0 KCkgeworICAgIGxldCB0aHJldyA9IGZhbHNlOworICAgIHRyeSB7CisgICAgICAgIGxldCBvID0g e307CisgICAgICAgIGxldCBwID0gbmV3IFByb3h5KG8sIHt9KTsKKyAgICAgICAgT2JqZWN0LnNl dFByb3RvdHlwZU9mKG8sIHApOworICAgICAgICBwLmFueUZpZWxkID0gNTA7CisgICAgfSBjYXRj aChlKSB7CisgICAgICAgIHRocmV3ID0gdHJ1ZTsKKyAgICAgICAgYXNzZXJ0KGUudG9TdHJpbmco KSA9PT0gIlJhbmdlRXJyb3I6IE1heGltdW0gY2FsbCBzdGFjayBzaXplIGV4Y2VlZGVkLiIpOwor ICAgIH0KKyAgICBhc3NlcnQodGhyZXcpOworfQorCitmdW5jdGlvbiB0ZXN0U3RhY2tPdmVyZmxv d0luZGV4ZWRTZXQoKSB7CisgICAgbGV0IHRocmV3ID0gZmFsc2U7CisgICAgdHJ5IHsKKyAgICAg ICAgbGV0IG8gPSB7fTsKKyAgICAgICAgbGV0IHAgPSBuZXcgUHJveHkobywge30pOworICAgICAg ICBPYmplY3Quc2V0UHJvdG90eXBlT2YobywgcCk7CisgICAgICAgIHBbMF0gPSA1MDsKKyAgICB9 IGNhdGNoKGUpIHsKKyAgICAgICAgdGhyZXcgPSB0cnVlOworICAgICAgICBhc3NlcnQoZS50b1N0 cmluZygpID09PSAiUmFuZ2VFcnJvcjogTWF4aW11bSBjYWxsIHN0YWNrIHNpemUgZXhjZWVkZWQu Iik7CisgICAgfQorICAgIGFzc2VydCh0aHJldyk7Cit9CisKK2ZvciAobGV0IGkgPSAwOyBpIDwg MzUwOyBpKyspIHsKKyAgICB0ZXN0U3RhY2tPdmVyZmxvd0dldCgpOworICAgIHRlc3RTdGFja092 ZXJmbG93U2V0KCk7CisgICAgdGVzdFN0YWNrT3ZlcmZsb3dJbmRleGVkU2V0KCk7Cit9Cg==