Skip to content

Commit

Permalink
deps: V8: cherry-pick 031b98b25cba
Browse files Browse the repository at this point in the history
Original commit message:

    [runtime] Clear array join stack when throwing uncatchable

    ... exception.

    Array#join depends array_join_stack to avoid infinite loop
    and ensures symmetric pushes/pops through catch blocks to
    correctly maintain the elements in the join stack.
    However, the stack does not pop the elements and leaves in
    an invalid state when throwing the uncatchable termination
    exception. And the invalid join stack state will affect
    subsequent Array#join calls. Because all the terminate
    exception will be handled by Isolate::UnwindAndFindHandler,
    we could clear the array join stack when unwinding the terminate
    exception.

    Bug: v8:13259
    Change-Id: I23823e823c5fe0b089528c5cf654864cea78ebeb
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3878451
    Reviewed-by: Jakob Linke <[email protected]>
    Commit-Queue: 王澳 <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83465}

Refs: v8/v8@031b98b
Closes: #44417
PR-URL: #45375
Fixes: #44417
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Kohei Ueno <[email protected]>
  • Loading branch information
targos authored Nov 11, 2022
1 parent 916af4e commit 4107ce0
Show file tree
Hide file tree
Showing 4 changed files with 159 additions and 0 deletions.
9 changes: 9 additions & 0 deletions deps/v8/src/execution/isolate.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1949,6 +1949,15 @@ Object Isolate::UnwindAndFindHandler() {
// Special handling of termination exceptions, uncatchable by JavaScript and
// Wasm code, we unwind the handlers until the top ENTRY handler is found.
bool catchable_by_js = is_catchable_by_javascript(exception);
if (!catchable_by_js && !context().is_null()) {
// Because the array join stack will not pop the elements when throwing the
// uncatchable terminate exception, we need to clear the array join stack to
// avoid leaving the stack in an invalid state.
// See also CycleProtectedArrayJoin.
raw_native_context().set_array_join_stack(
ReadOnlyRoots(this).undefined_value());
}

int visited_frames = 0;

#if V8_ENABLE_WEBASSEMBLY
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
Tests that Runtime.evaluate with REPL mode correctly handles Array.prototype.join.
{
id : <messageId>
result : {
result : {
className : Array
description : Array(1)
objectId : <objectId>
subtype : array
type : object
}
}
}
{
id : <messageId>
result : {
exceptionDetails : {
columnNumber : -1
exception : {
className : EvalError
description : EvalError: Possible side-effect in debug-evaluate
objectId : <objectId>
subtype : error
type : object
}
exceptionId : <exceptionId>
lineNumber : -1
scriptId : <scriptId>
text : Uncaught
}
result : {
className : EvalError
description : EvalError: Possible side-effect in debug-evaluate
objectId : <objectId>
subtype : error
type : object
}
}
}
{
id : <messageId>
result : {
result : {
type : string
value : /a/
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let {Protocol} = InspectorTest.start(
'Tests that Runtime.evaluate with REPL mode correctly handles \
Array.prototype.join.');

Protocol.Runtime.enable();
(async function () {
await evaluateReplWithSideEffects('a=[/a/]')
await evaluateRepl('a.toString()');
await evaluateReplWithSideEffects('a.toString()');

InspectorTest.completeTest();
})();

async function evaluateRepl(expression) {
InspectorTest.logMessage(await Protocol.Runtime.evaluate({
expression: expression,
replMode: true,
throwOnSideEffect: true
}));
}

async function evaluateReplWithSideEffects(expression) {
InspectorTest.logMessage(await Protocol.Runtime.evaluate({
expression: expression,
replMode: true,
throwOnSideEffect: false
}));
}
70 changes: 70 additions & 0 deletions deps/v8/test/unittests/execution/thread-termination-unittest.cc
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
#include "src/init/v8.h"
#include "src/objects/objects-inl.h"
#include "test/unittests/test-utils.h"
#include "testing/gmock-support.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace v8 {
Expand Down Expand Up @@ -889,6 +890,75 @@ TEST_F(ThreadTerminationTest, TerminateConsole) {
CHECK(isolate()->IsExecutionTerminating());
}

TEST_F(ThreadTerminationTest, TerminationClearArrayJoinStack) {
internal::v8_flags.allow_natives_syntax = true;
HandleScope scope(isolate());
Local<ObjectTemplate> global_template =
CreateGlobalTemplate(isolate(), TerminateCurrentThread, DoLoopNoCall);
{
Local<Context> context = Context::New(isolate(), nullptr, global_template);
Context::Scope context_scope(context);
{
TryCatch try_catch(isolate());
TryRunJS(
"var error = false;"
"var a = [{toString(){if(error)loop()}}];"
"function Join(){ return a.join();}; "
"%PrepareFunctionForOptimization(Join);"
"Join();"
"%OptimizeFunctionOnNextCall(Join);"
"error = true;"
"Join();");
CHECK(try_catch.HasTerminated());
CHECK(isolate()->IsExecutionTerminating());
}
EXPECT_THAT(RunJS("a[0] = 1; Join();"), testing::IsString("1"));
}
{
Local<Context> context = Context::New(isolate(), nullptr, global_template);
Context::Scope context_scope(context);
{
TryCatch try_catch(isolate());
TryRunJS(
"var a = [{toString(){loop()}}];"
"function Join(){ return a.join();}; "
"Join();");
CHECK(try_catch.HasTerminated());
CHECK(isolate()->IsExecutionTerminating());
}
EXPECT_THAT(RunJS("a[0] = 1; Join();"), testing::IsString("1"));
}
{
ConsoleImpl console;
debug::SetConsoleDelegate(isolate(), &console);
HandleScope scope(isolate());
Local<Context> context = Context::New(isolate(), nullptr, global_template);
Context::Scope context_scope(context);
{
// setup console global.
HandleScope scope(isolate());
Local<String> name = String::NewFromUtf8Literal(
isolate(), "console", NewStringType::kInternalized);
Local<Value> console = context->GetExtrasBindingObject()
->Get(context, name)
.ToLocalChecked();
context->Global()->Set(context, name, console).FromJust();
}
CHECK(!isolate()->IsExecutionTerminating());
{
TryCatch try_catch(isolate());
CHECK(!isolate()->IsExecutionTerminating());
CHECK(TryRunJS("var a = [{toString(){terminate();console.log();fail()}}];"
"function Join() {return a.join();}"
"Join();")
.IsEmpty());
CHECK(try_catch.HasCaught());
CHECK(isolate()->IsExecutionTerminating());
}
EXPECT_THAT(RunJS("a[0] = 1; Join();"), testing::IsString("1"));
}
}

class TerminatorSleeperThread : public base::Thread {
public:
explicit TerminatorSleeperThread(Isolate* isolate, int sleep_ms)
Expand Down

0 comments on commit 4107ce0

Please sign in to comment.