[njs] Fixed attaching of a stack to an error object.

Tue, 28 Feb 2023 20:37:19 -0800 

details:   https://hg.nginx.org/njs/rev/4911271d5453
branches:  
changeset: 2058:4911271d5453
user:      Dmitry Volyntsev <xei...@nginx.com>
date:      Tue Feb 28 00:26:45 2023 -0800
description:
Fixed attaching of a stack to an error object.

This problem is similar to previous commits.  When
njs_error_stack_attach() accepted the value as a pointer to vm->retval
that value might be changed as a side effert of njs_error_stack_new()
evaluation.  This may result in a garbage value for
njs_object(value) expression.

The workaround fix is to make a copy of vm->retval to ensure its
intergrity and to preserve it as a retval. The proper fix is to
eliminate vm->retval altogether.

This fixes #612, #613, #616 issues on Github.

diffstat:

 src/njs_vmcode.c         |  7 ++++++-
 src/test/njs_unit_test.c |  6 ++++++
 2 files changed, 12 insertions(+), 1 deletions(-)

diffs (33 lines):

diff -r 3e33a686a9fd -r 4911271d5453 src/njs_vmcode.c
--- a/src/njs_vmcode.c  Mon Feb 27 23:55:55 2023 -0800
+++ b/src/njs_vmcode.c  Tue Feb 28 00:26:45 2023 -0800
@@ -1824,7 +1824,12 @@ error:
 
     if (njs_is_error(&vm->retval)) {
         vm->active_frame->native.pc = pc;
-        (void) njs_error_stack_attach(vm, &vm->retval);
+
+        /* TODO: get rid of copying. */
+
+        njs_value_assign(&dst, &vm->retval);
+        (void) njs_error_stack_attach(vm, &dst);
+        njs_value_assign(&vm->retval, &dst);
     }
 
     for ( ;; ) {
diff -r 3e33a686a9fd -r 4911271d5453 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c  Mon Feb 27 23:55:55 2023 -0800
+++ b/src/test/njs_unit_test.c  Tue Feb 28 00:26:45 2023 -0800
@@ -23122,6 +23122,12 @@ static njs_unit_test_t  njs_backtraces_t
     { njs_str("function f(n) { if (n == 0) { throw 'a'; } return f(n-1); }; 
f(2)"),
       njs_str("a") },
 
+    { njs_str("Object.defineProperty(Function.__proto__, 'name', {get() { 
typeof 1;}});"
+              "(new Uint8Array()).every()"),
+      njs_str("TypeError: callback argument is not callable\n"
+              "    at TypedArray.prototype.every (native)\n"
+              "    at main (:1)\n") },
+
     /* line numbers */
 
     { njs_str("/**/(function(){throw Error();})()"),
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to