[inspector] Handle isolate termination gracefully

The inspector fuzzer is terminating the isolate after two seconds. At this point, we can be in pretty much any state, and any further JS execution would fail. This CL fixes an issue where we got the termination signal when creating a context for a regexp (while installing extensions). There might be more places that need fixing, but with this CL the linked issue does not reproduce locally any more, so it's a step forward. R=szuend@chromium.org, bmeurer@chromium.org Bug: chromium:1166549 Change-Id: I33b48205b71877aca6cfe5267f353fa899bfa05c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2636153Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Simon Zünd <szuend@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#72156}

[inspector] Handle isolate termination gracefully
The inspector fuzzer is terminating the isolate after two seconds. At this point, we can be in pretty much any state, and any further JS execution would fail. This CL fixes an issue where we got the termination signal when creating a context for a regexp (while installing extensions). There might be more places that need fixing, but with this CL the linked issue does not reproduce locally any more, so it's a step forward. R=szuend@chromium.org, bmeurer@chromium.org Bug: chromium:1166549 Change-Id: I33b48205b71877aca6cfe5267f353fa899bfa05c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2636153Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Simon Zünd <szuend@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#72156}
2c1d99e5 · Clemens Backes · Commit Bot · 852294fc · 2c1d99e5 · 2c1d99e5
Commit 2c1d99e5 authored Jan 18, 2021 by Clemens Backes Committed by Commit Bot Jan 19, 2021
5 changed files
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -5104,10 +5104,14 @@ bool Genesis::InstallExtension(Isolate* isolate,
      return false;
    }
  }
-  // We do not expect this to throw an exception. Change this if it does.
  bool result = CompileExtension(isolate, extension);
-  DCHECK(isolate->has_pending_exception() != result);
  if (!result) {
+    // If this failed, it either threw an exception, or the isolate is
+    // terminating.
+    DCHECK(isolate->has_pending_exception() ||
+           (isolate->has_scheduled_exception() &&
+            isolate->scheduled_exception() ==
+                ReadOnlyRoots(isolate).termination_exception()));
    // We print out the name of the extension that fail to install.
    // When an error is thrown during bootstrapping we automatically print
    // the line number at which this happened to the console in the isolate

--- a/src/inspector/v8-inspector-impl.cc
+++ b/src/inspector/v8-inspector-impl.cc
@@ -366,9 +366,14 @@ std::shared_ptr<V8Inspector::Counters> V8InspectorImpl::enableCounters() {
  return std::make_shared<Counters>(m_isolate);
 }

-v8::Local<v8::Context> V8InspectorImpl::regexContext() {
-  if (m_regexContext.IsEmpty())
+v8::MaybeLocal<v8::Context> V8InspectorImpl::regexContext() {
+  if (m_regexContext.IsEmpty()) {
    m_regexContext.Reset(m_isolate, v8::Context::New(m_isolate));
+    if (m_regexContext.IsEmpty()) {
+      DCHECK(m_isolate->IsExecutionTerminating());
+      return {};
+    }
+  }
  return m_regexContext.Get(m_isolate);
 }


--- a/src/inspector/v8-inspector-impl.h
+++ b/src/inspector/v8-inspector-impl.h
@@ -75,7 +75,7 @@ class V8InspectorImpl : public V8Inspector {
  v8::MaybeLocal<v8::Script> compileScript(v8::Local<v8::Context>,
                                           const String16& code,
                                           const String16& fileName);
-  v8::Local<v8::Context> regexContext();
+  v8::MaybeLocal<v8::Context> regexContext();

  // V8Inspector implementation.
  std::unique_ptr<V8InspectorSession> connect(int contextGroupId,

--- a/src/inspector/v8-regex.cc
+++ b/src/inspector/v8-regex.cc
@@ -18,7 +18,12 @@ V8Regex::V8Regex(V8InspectorImpl* inspector, const String16& pattern,
    : m_inspector(inspector) {
  v8::Isolate* isolate = m_inspector->isolate();
  v8::HandleScope handleScope(isolate);
-  v8::Local<v8::Context> context = m_inspector->regexContext();
+  v8::Local<v8::Context> context;
+  if (!m_inspector->regexContext().ToLocal(&context)) {
+    DCHECK(isolate->IsExecutionTerminating());
+    m_errorMessage = "terminated";
+    return;
+  }
  v8::Context::Scope contextScope(context);
  v8::TryCatch tryCatch(isolate);

@@ -48,7 +53,11 @@ int V8Regex::match(const String16& string, int startFrom,

  v8::Isolate* isolate = m_inspector->isolate();
  v8::HandleScope handleScope(isolate);
-  v8::Local<v8::Context> context = m_inspector->regexContext();
+  v8::Local<v8::Context> context;
+  if (!m_inspector->regexContext().ToLocal(&context)) {
+    DCHECK(isolate->IsExecutionTerminating());
+    return -1;
+  }
  v8::Context::Scope contextScope(context);
  v8::MicrotasksScope microtasks(isolate,
                                 v8::MicrotasksScope::kDoNotRunMicrotasks);

--- a/test/fuzzer/inspector/regress-1166549
+++ b/test/fuzzer/inspector/regress-1166549
+utils2 = new Proxy(utils, {get: function(target, prop) { if (prop in target) return target[prop]; return i=>i;}});
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+InspectorTest = {};
+InspectorTest._dumpInspectorProtocolMessages = false;
+InspectorTest._commandsForLogging = new Set();
+InspectorTest._sessions = new Set();
+
+InspectorTest.log = utils2.print.bind(utils2);
+InspectorTest.quitImmediately = utils2.quit.bind(utils2);
+
+InspectorTest.logProtocolCommandCalls = function(command) {
+  InspectorTest._commandsForLogging.add(command);
+}
+
+InspectorTest.completeTest = function() {
+  var promises = [];
+  for (var session of InspectorTest._sessions)
+    promises.push(session.Protocol.Debugger.disable());
+  Promise.all(promises).then(() => utils2.quit());
+}
+
+InspectorTest.ContextGroup = class {
+  constructor() {
+    this.id = utils2.createContextGroup();
+  }
+
+  addScript(string, lineOffset, columnOffset, url) {
+    utils2.compileAndRunWithOrigin(this.id, string, url || '', lineOffset || 0, columnOffset || 0, false);
+  }
+
+  connect() {
+    return new InspectorTest.Session(this);
+  }
+
+  reset() {
+    utils2.resetContextGroup(this.id);
+  }
+};
+
+InspectorTest.Session = class {
+  constructor(contextGroup) {
+    this.contextGroup = contextGroup;
+    this._dispatchTable = new Map();
+    this._eventHandlers = new Map();
+    this._requestId = 0;
+    this.Protocol = this._setupProtocol();
+    InspectorTest._sessions.add(this);
+    this.id = utils2.connectSession(contextGroup.id, '', this._dispatchMessage.bind(this));
+  }
+
+  disconnect() {
+    InspectorTest._sessions.delete(this);
+    utils2.disconnectSession(this.id);
+  }
+
+  reconnect() {
+    var state = utils2.disconnectSession(this.id);
+    this.id = utils2.connectSession(this.contextGroup.id, state, this._dispatchMessage.bind(this));
+  }
+
+  async addInspectedObject(serializable) {
+    return this.Protocol.Runtime.evaluate({expression: `inspector.addInspectedObject(${this.id}, ${JSON.stringify(serializable)})`});
+  }
+
+  sendRawCommand(requestId, command, handler) {
+    if (InspectorTest._dumpInspectorProtocolMessages)
+      utils2.print("frontend: " + command);
+    this._dispatchTable.set(requestId, handler);
+    utils2.sendMessageToBackend(this.id, command);
+  }
+
+  _sendCommandPromise(method, params) {
+    if (typeof params !== 'object')
+      utils2.print(`WARNING: non-object params passed to invocation of method ${method}`);
+    if (InspectorTest._commandsForLogging.has(method))
+      utils2.print(method + ' called');
+    var requestId = ++this._requestId;
+    var messageObject = { "id": requestId, "method": method, "params": params };
+    return new Promise(fulfill => this.sendRawCommand(requestId, JSON.stringify(messageObject), fulfill));
+  }
+
+  _setupProtocol() {
+    return new Proxy({}, { get: (target, agentName, receiver) => new Proxy({}, {
+      get: (target, methodName, receiver) => {
+        const eventPattern = /^on(ce)?([A-Z][A-Za-z0-9]+)/;
+        var match = eventPattern.exec(methodName);
+        if (!match)
+          return args => this._sendCommandPromise(`${agentName}.${methodName}`, args || {});
+        var eventName = match[2];
+        eventName = eventName.charAt(0).toLowerCase() + eventName.slice(1);
+        if (match[1])
+          return numOfEvents => this._waitForEventPromise(
+                     `${agentName}.${eventName}`, numOfEvents || 1);
+        return listener => this._eventHandlers.set(`${agentName}.${eventName}`, listener);
+      }
+    })});
+  }
+
+  _dispatchMessage(messageString) {
+    var messageObject = JSON.parse(messageString);
+    if (InspectorTest._dumpInspectorProtocolMessages)
+      utils2.print("backend: " + JSON.stringify(messageObject));
+    const kMethodNotFound = -32601;
+    if (messageObject.error && messageObject.error.code === kMethodNotFound) {
+      InspectorTest.log(`Error: Called non-existent method. ${
+          messageObject.error.message} code: ${messagebOject.error.code}`);
+      InspectorTest.completeTest();
+    }
+    try {
+      var messageId = messageObject["id"];
+      if (typeof messageId === "number") {
+        var handler = this._dispatchTable.get(messageId);
+        if (handler) {
+          handler(messageObject);
+          this._dispatchTable.delete(messageId);
+        }
+      } else {
+        var eventName = messageObject["method"];
+        var eventHandler = this._eventHandlers.get(eventName0);
+        if (eventName === "Debugger.scriptParsed" && messageObject.params.url === "wait-for-pending-tasks.js")
+          return;
+        if (eventHandler)
+          eventHandler(messageObject);
+      }
+    } catch (e) {
+      InspectorTest.log("Exception when dispatching message: " + e + "\n" + e.stack + "\n message = " + JSON.stringify(messageObject, null, 2));
+      InspectorTest.completeTest();
+    }
+  };
+
+  _waitForEventPromise(eventName, numOfEvents) {
+    let events = [];
+    return new Promise(fulfill => {
+      this._eventHandlers.set(eventName, result => {
+        --numOfEvents;
+        events.push(result);
+        if (numOfEvents === 0) {
+          delete this._eventHandlers.delete(eventName);
+          fulfill(events.length > 1 ? events : events[0]);
+        }
+      });
+    });
+  }
+};
+
+InspectorTest.start = function(description) {
+  try {
+    InspectorTest.log(description);
+    var contextGroup = new InspectorTest.ContextGroup();
+    var session = contextGroup.connect();
+    return { session: session, contextGroup: contextGroup, Protocol: session.Protocol };
+  } catch (e) {
+    utils2.print(e.stack);
+  }
+}
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let {session, contextGroup, Protocol} = InspectorTest.start('Checks stepping with blackboxed frames on stack');
+
+contextGroup.addScript(
+    `
+function userFoo() {
+  return 1;
+}
+
+function userBoo() {
+  return 2;
+}
+
+function testStepFromUser() {
+  frameworkCall([userFoo, userBoo])
+}
+
+function testStepFromFramework() {
+  frameworkBreakAndCall([userFoo, userBoo]);
+}
+//# sourceURL=user.js`,
+    21, 4);
+
+Protocol.Debugger.enable()
+    .then(
+        () => Protocol.Debugger.setBlackboxPatterns(
+            {patterns: ['framework\.js']}))
+    .then(() => InspectorTest.completeTest());