Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

console.log print error stack & reorganize implementation into functions #837

Merged
merged 1 commit into from
Sep 26, 2018
Merged

console.log print error stack & reorganize implementation into functions #837

merged 1 commit into from
Sep 26, 2018

Conversation

kevinkassimo
Copy link
Contributor

Closes #684 , print out error.stack when encountering object as instance of Error (since #676 is closed for now)

(Would attempt handling more special types and add print indentation once #826 lands. Would import code heavily from #676)

ry
ry approved these changes Sep 26, 2018
View reviewed changes
Copy link
Member

@ry ry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks

@ry ry merged commit 1e390e6 into denoland:master Sep 26, 2018
ry added a commit to ry/deno that referenced this pull request Sep 29, 2018
@ry
v0.1.6
9c10519 
- Adds deno.stdin, deno.stdout, deno.stderr, deno.open(), deno.write(),
  deno.read(), deno.Reader, deno.Writer, deno.copy() denoland#846
- Print 'Compiling' when compiling TS.
- Support zero-copy for writeFile() writeFileSync() denoland#838
- Fixes eval error bug denoland#837
- Make Deno multithreaded denoland#782
- console.warn() goes to stderr denoland#810
- Add deno.readlink()/readlinkSync() denoland#797
- Add --recompile flag denoland#801
- Use constructor.name to print out function type denoland#664
- Rename deno.argv to deno.args
- Add deno.trace() denoland#795
- Continuous benchmarks https://denoland.github.io/deno/
@ry ry mentioned this pull request Sep 29, 2018
Merged
ry added a commit that referenced this pull request Sep 29, 2018
@ry
v0.1.6
77e8763 
- Adds deno.stdin, deno.stdout, deno.stderr, deno.open(), deno.write(),
  deno.read(), deno.Reader, deno.Writer, deno.copy() #846
- Print 'Compiling' when compiling TS.
- Support zero-copy for writeFile() writeFileSync() #838
- Fixes eval error bug #837
- Make Deno multithreaded #782
- console.warn() goes to stderr #810
- Add deno.readlink()/readlinkSync() #797
- Add --recompile flag #801
- Use constructor.name to print out function type #664
- Rename deno.argv to deno.args
- Add deno.trace() #795
- Continuous benchmarks https://denoland.github.io/deno/
@kevinkassimo kevinkassimo deleted the console/error_etc branch December 27, 2019 07:52
hardfist pushed a commit to hardfist/deno that referenced this pull request Aug 7, 2024
@nathanwhit
fix(core): Drop fast function info after isolate (denoland#837)
54b162e 
Fixes crashes caused by denoland/deno_core#832
by making it the responsibility of `InnerIsolateState` to free the
cfunctioninfo/ctypeinfo _after_ dropping the isolate, instead of the
`OpCtx` freeing those on drop.

The cause of the crash is that the `OpCtx` gets dropped when the realm
is destroyed (and we free the fast api info), but the isolate still
lives because we don't destroy the isolate until [after destroying the
realm](https://github.com/denoland/deno_core/blob/19d2d603e506b4d6b6aa1f88c092dbd59f4000b6/core/runtime/jsrealm.rs#L183-L184).
In that time before we destroy the isolate, a V8 worker thread still has
a reference to the dropped CFunctionInfo, and boom UAF.
Here's a proper stacktrace for the check failure
```
#
# Fatal error in , line 0
# Check failed: c_argument_count >= kReceiver.
#
#
#
#FailureMessage Object: 0x17031cf28
==== C stack trace ===============================

    0   url_ops-d558488f29975416            0x0000000100a1aff4 v8::base::debug::StackTrace::StackTrace() + 24
    1   url_ops-d558488f29975416            0x0000000100a1f854 v8::platform::(anonymous namespace)::PrintStackTrace() + 24
    2   url_ops-d558488f29975416            0x0000000100a17cf8 V8_Fatal(char const*, ...) + 356
    3   url_ops-d558488f29975416            0x00000001018854c4 v8::internal::compiler::FastApiCallReducerAssembler::ReduceFastApiCall() + 1608
    4   url_ops-d558488f29975416            0x00000001018841a0 v8::internal::compiler::JSCallReducer::ReduceCallApiFunction(v8::internal::compiler::Node*, v8::internal::compiler::SharedFunctionInfoRef) + 856
    5   url_ops-d558488f29975416            0x0000000101886bac v8::internal::compiler::JSCallReducer::ReduceJSCall(v8::internal::compiler::Node*, v8::internal::compiler::SharedFunctionInfoRef) + 356
    6   url_ops-d558488f29975416            0x000000010187d564 v8::internal::compiler::JSCallReducer::ReduceJSCall(v8::internal::compiler::Node*) + 1120
    7   url_ops-d558488f29975416            0x000000010187d720 v8::internal::compiler::JSCallReducer::ReduceJSCall(v8::internal::compiler::Node*) + 1564
    8   url_ops-d558488f29975416            0x0000000101796c8c v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*) + 180
    9   url_ops-d558488f29975416            0x00000001017968e4 v8::internal::compiler::GraphReducer::ReduceTop() + 584
    10  url_ops-d558488f29975416            0x00000001017964d4 v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*) + 172
    11  url_ops-d558488f29975416            0x00000001018d96a8 v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::TFPipelineData*, v8::internal::Zone*) + 704
    12  url_ops-d558488f29975416            0x00000001018cd664 auto v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::InliningPhase>() + 132
    13  url_ops-d558488f29975416            0x00000001018ca290 v8::internal::compiler::PipelineImpl::CreateGraph() + 232
    14  url_ops-d558488f29975416            0x00000001018c9edc v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl(v8::internal::RuntimeCallStats*, v8::internal::LocalIsolate*) + 248
    15  url_ops-d558488f29975416            0x0000000100aea274 v8::internal::OptimizedCompilationJob::ExecuteJob(v8::internal::RuntimeCallStats*, v8::internal::LocalIsolate*) + 80
    16  url_ops-d558488f29975416            0x0000000100b1d9e8 v8::internal::OptimizingCompileDispatcher::CompileNext(v8::internal::TurbofanCompilationJob*, v8::internal::LocalIsolate*) + 44
    17  url_ops-d558488f29975416            0x0000000100b1f298 v8::internal::OptimizingCompileDispatcher::CompileTask::Run(v8::JobDelegate*) + 396
    18  url_ops-d558488f29975416            0x0000000100a1c75c v8::platform::DefaultJobWorker::Run() + 216
    19  url_ops-d558488f29975416            0x0000000100a20d3c v8::platform::DefaultWorkerThreadsTaskRunner::WorkerThread::Run() + 160
    20  url_ops-d558488f29975416            0x0000000100a1a968 v8::base::ThreadEntry(void*) + 160
    21  libsystem_pthread.dylib             0x00000001810d6f94 _pthread_start + 136
```
The opctx gets dropped during
[JsRuntime::cleanup](https://github.com/denoland/deno_core/blob/19d2d603e506b4d6b6aa1f88c092dbd59f4000b6/core/runtime/jsruntime.rs#L175-L176),
called in
[InnerIsolateState::drop](https://github.com/denoland/deno_core/blob/19d2d603e506b4d6b6aa1f88c092dbd59f4000b6/core/runtime/jsruntime.rs#L207),
then we [drop the
isolate](https://github.com/denoland/deno_core/blob/19d2d603e506b4d6b6aa1f88c092dbd59f4000b6/core/runtime/jsruntime.rs#L218)
to destroy it
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ry ry ry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ReferenceError doesn't pretty print/hold any metadata from eval
2 participants
@kevinkassimo @ry