Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Speculative fix for napi_set_property crash #10842

Merged
merged 1 commit into from May 7, 2024
Merged

Speculative fix for napi_set_property crash #10842

merged 1 commit into from May 7, 2024

Conversation

Jarred-Sumner
Copy link
Collaborator

What does this PR do?

We have received many crash reports for napi_set_property.

The crash implies that target is set to undefined (08) and we are calling .getObject() on it, without properly validating that it is an object

Node.js' implementation of napi_set_property checks target is an object via CHECK_TO_OBJECT(env, context, obj, object);.

This PR makes napi_set_property check that the property is an object first.

We also disable strict mode when putting the property. Since Node doesn't default to strict mode, it's a good bet napi_set_property shouldn't either.

How did you verify your code works?

No tests

@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2024

@Jarred-Sumner, your commit has failing tests :(

💪 2 failing tests Darwin AARCH64

💻 5 failing tests Darwin x64 baseline

💻 4 failing tests Darwin x64

🪟💻 7 failing tests Windows x64 baseline

🪟💻 6 failing tests Windows x64

View logs

dylan-conway
dylan-conway reviewed May 7, 2024
View reviewed changes
src/bun.js/bindings/napi.cpp
Identifier identifier = keyProp.toPropertyKey(globalObject);
RETURN_IF_EXCEPTION(scope, napi_generic_failure);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also need this exception check in napi_get_property before calling getIfPropertyExists

dylan-conway
dylan-conway reviewed May 7, 2024
View reviewed changes
src/bun.js/bindings/napi.cpp
JSValue jsValue = toJS(value);

object->put(object, globalObject, identifier, jsValue, slot);
RETURN_IF_EXCEPTION(scope, napi_generic_failure);
if (!object->put(object, globalObject, identifier, jsValue, slot)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this check added? How is put returning false different from an exception thrown?

dylan-conway
dylan-conway reviewed May 7, 2024
View reviewed changes
Copy link
Collaborator

@dylan-conway dylan-conway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two comments. Looks good, just confused why we have a check for false from obj->put

@Jarred-Sumner Jarred-Sumner merged commit 0a54bc0 into main May 7, 2024
41 of 52 checks passed
@Jarred-Sumner Jarred-Sumner deleted the jarred/speculative-napi-setProperty1 branch May 7, 2024 03:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylan-conway dylan-conway dylan-conway left review comments

Assignees

@Jarred-Sumner Jarred-Sumner

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Jarred-Sumner @dylan-conway