Bug 154854 - SIGSEGV in Proxy [[Get]] and [[Set]] recursion
Summary: SIGSEGV in Proxy [[Get]] and [[Set]] recursion
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-01 04:06 PST by André Bargull
Modified: 2016-03-02 11:17 PST (History)
11 users (show)

See Also:

Attachments
patch (3.84 KB, patch)
2016-03-01 23:33 PST, Saam Barati 		ysuzuki: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description André Bargull 2016-03-01 04:06:23 PST 
Revision: r197396

Test case:
---
var o = {};
var p = new Proxy(o, {});
Object.setPrototypeOf(o, p);
p.x
---


Output:
---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
    __t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
193	      _M_head(const _Tuple_impl& __t) noexcept { return _Base::_M_head(__t); }
(gdb) bt
#0  0x0000000000447b23 in std::_Tuple_impl<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::_M_head (
    __t=<error reading variable: Cannot access memory at address 0x7fffff7feff8>) at /usr/include/c++/5/tuple:193
#1  0x0000000000447b4d in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=...) at /usr/include/c++/5/tuple:827
#2  0x0000000000447b67 in std::get<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (__t=std::tuple containing = {...})
    at /usr/include/c++/5/tuple:839
#3  0x0000000000447b82 in std::unique_ptr<JSC::StructureIDTable::StructureOrOffset [], std::default_delete<JSC::StructureIDTable::StructureOrOffset []> >::get (this=0x7ffff0e010c0)
    at /usr/include/c++/5/bits/unique_ptr.h:542
#4  0x000000000043aad2 in JSC::StructureIDTable::table (this=0x7ffff0e010a8) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:65
#5  0x000000000043ab23 in JSC::StructureIDTable::get (this=0x7ffff0e010a8, structureID=1) at ../../Source/JavaScriptCore/runtime/StructureIDTable.h:86
#6  0x000000000044451d in JSC::JSCell::structure (this=0x7ffff0e58880) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102
#7  0x0000000000440a1d in JSC::Structure::materializePropertyMapIfNecessary (this=0x7ffff0e58880, vm=..., table=@0x7fffff7ff160: 0x7fffff7ff180) at ../../Source/JavaScriptCore/runtime/Structure.h:633
#8  0x0000000000445d0e in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642, hasInferredType=@0x7fffff7ff1c7: false)
    at ../../Source/JavaScriptCore/runtime/StructureInlines.h:98
#9  0x0000000000445c4a in JSC::Structure::get (this=0x7ffff0e58880, vm=..., propertyName=..., attributes=@0x7fffff7ff218: 4434642) at ../../Source/JavaScriptCore/runtime/StructureInlines.h:89
#10 0x0000000000442212 in JSC::JSObject::getOwnNonIndexPropertySlot (this=0x7ffff0e43ec0, vm=..., structure=..., propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1106
#11 0x000000000044267d in JSC::JSObject::getPropertySlot (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1177
#12 0x0000000000442a7c in JSC::JSObject::get (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1231
#13 0x00007ffff6d34bfc in JSC::JSObject::getMethod (this=0x7ffff0e43ec0, exec=0x7fffffffccb0, callData=..., callType=@0x7fffff7ff3fc: (JSC::CallTypeHost | JSC::CallTypeJS | unknown: 32764), ident=..., 
    errorMessage=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:2977
#14 0x00007ffff6dc1a6a in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:114
#15 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#16 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff620, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#17 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#18 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ff770) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
#19 0x00007ffff6dc1aca in JSC::performProxyGet (exec=0x7fffffffccb0, thisValue=140737234878208, propertyName=...) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:119
#20 0x00007ffff6dbb9b2 in JSC::PropertySlot::customGetter (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:39
#21 0x000000000043f2a8 in JSC::PropertySlot::getValue (this=0x7fffff7ff8e0, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.h:290
#22 0x0000000000442a97 in JSC::JSObject::get (this=0x7ffff0e43f00, exec=0x7fffffffccb0, propertyName=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:1232
#23 0x00007ffff6dc173d in JSC::<lambda()>::operator()(void) const (__closure=0x7fffff7ffa30) at ../../Source/JavaScriptCore/runtime/ProxyObject.cpp:101
...
---
Comment 1 Saam Barati 2016-03-01 22:51:46 PST 
Thanks for reporting this.
Comment 2 Saam Barati 2016-03-01 23:14:02 PST 
So it seems like recursion is the correct behavior here.
We just need to detect when we've recursed too far
and throw a stack overflow error.
Comment 3 Saam Barati 2016-03-01 23:33:27 PST 
Created attachment 272639 [details]
patch
Comment 4 Yusuke Suzuki 2016-03-02 06:14:20 PST 
Comment on attachment 272639 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=272639&action=review

Interesting, nice catch! r=me

> Source/JavaScriptCore/tests/stress/proxy-get-and-set-recursion-stack-overflow.js:18
> +}

I suggest adding indexed get case.
Comment 5 Saam Barati 2016-03-02 11:17:29 PST 
landed in:
http://trac.webkit.org/changeset/197457