details: https://hg.nginx.org/njs/rev/1137ad409fee
branches:
changeset: 1967:1137ad409fee
user: Dmitry Volyntsev <xei...@nginx.com>
date: Tue Sep 27 16:52:31 2022 -0700
description:
Fixed handling of unhandled promise rejection.
Previously, a direct pointer to the first element of an array of
rejected promise values was used to convert that element to a string.
This is not correct because that pointer may become invalid if rejected
promise values array is resized between invocation of "toString" and
"valueOf" methods which are called while converting the element to a
string.
The fix is to ensure that the rejected promise value is never changed.
This closes #580 issue on Github.
diffstat:
src/njs_vm.c | 4 ++--
test/js/promise_rejection_tracker_recursive.t.js | 14 ++++++++++++++
2 files changed, 16 insertions(+), 2 deletions(-)
diffs (32 lines):
diff -r 770f64020ada -r 1137ad409fee src/njs_vm.c
--- a/src/njs_vm.c Tue Sep 27 16:40:06 2022 -0700
+++ b/src/njs_vm.c Tue Sep 27 16:52:31 2022 -0700
@@ -579,8 +579,8 @@ njs_vm_handle_events(njs_vm_t *vm)
}
if (njs_vm_unhandled_rejection(vm)) {
- ret = njs_value_to_string(vm, &string,
- &vm->promise_reason->start[0]);
+ njs_value_assign(&string, &vm->promise_reason->start[0]);
+ ret = njs_value_to_string(vm, &string, &string);
if (njs_slow_path(ret != NJS_OK)) {
return ret;
}
diff -r 770f64020ada -r 1137ad409fee
test/js/promise_rejection_tracker_recursive.t.js
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/js/promise_rejection_tracker_recursive.t.js Tue Sep 27 16:52:31
2022 -0700
@@ -0,0 +1,14 @@
+/*---
+includes: []
+flags: []
+negative:
+ phase: runtime
+---*/
+
+String.toString = async () => {
+ String.prototype.concat([String, {toString(){ throw String; }}]);
+ throw 1;
+};
+String.valueOf = String;
+
+(async function() { throw String; })()
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org
