[MERGE #5529 @VSadov] Avoid deep recursion in GetTypeOfString when dealing with proxies

Merge pull request #5529 from VSadov:fix18260402

It is unusual, but possible that proxies contain proxies and could be deeply nested. Recursion over such objects causes stack overflow and should be avoided.
With this fix we will unwrap proxies to the inermost proxy without recursing.

Fixes: OS:18260402

Found by OSS-Fuzz

Author: VSadov

lib/Runtime/Library/JavascriptProxy.cpp

@@ -1621,16 +1621,18 @@ namespace Js
 
     BOOL JavascriptProxy::GetDiagTypeString(StringBuilder<ArenaAllocator>* stringBuilder, ScriptContext* requestContext)
     {
+        const JavascriptProxy* proxy = UnwrapNestedProxies(this);
+
         //RecyclableObject* targetObj;
-        if (this->handler == nullptr)
+        if (proxy->handler == nullptr)
         {
             ThreadContext* threadContext = GetScriptContext()->GetThreadContext();
             // the proxy has been revoked; TypeError.
             if (!threadContext->RecordImplicitException())
                 return FALSE;
             JavascriptError::ThrowTypeError(GetScriptContext(), JSERR_ErrorOnRevokedProxy, _u("getTypeString"));
         }
-        return target->GetDiagTypeString(stringBuilder, requestContext);
+        return proxy->target->GetDiagTypeString(stringBuilder, requestContext);
     }
 
     RecyclableObject* JavascriptProxy::ToObject(ScriptContext * requestContext)
@@ -1649,7 +1651,9 @@ namespace Js
 
     Var JavascriptProxy::GetTypeOfString(ScriptContext* requestContext)
     {
-        if (this->handler == nullptr)
+        const JavascriptProxy* proxy = UnwrapNestedProxies(this);
+
+        if (proxy->handler == nullptr)
         {
             // even if handler is nullptr, return typeof as "object"
             return requestContext->GetLibrary()->GetObjectTypeDisplayString();
@@ -1662,7 +1666,7 @@ namespace Js
         else
         {
             // handle nested cases recursively
-            return this->target->GetTypeOfString(requestContext);
+            return proxy->target->GetTypeOfString(requestContext);
         }
     }
 

lib/Runtime/Library/JavascriptProxy.h

@@ -54,6 +54,26 @@ namespace Js
         static BOOL Is(_In_ RecyclableObject* obj);
         static JavascriptProxy* FromVar(Var obj) { AssertOrFailFast(Is(obj)); return static_cast<JavascriptProxy*>(obj); }
         static JavascriptProxy* UnsafeFromVar(Var obj) { Assert(Is(obj)); return static_cast<JavascriptProxy*>(obj); }
+
+        // before recursively calling something on 'target' use this helper in case there is nesting of proxies.
+        // the proxies could be deep nested and cause SO when processed recursively.
+        static const JavascriptProxy* UnwrapNestedProxies(const JavascriptProxy* proxy)
+        {
+            // continue while we have a proxy that is not revoked
+            while (proxy->handler != nullptr)
+            {
+                JavascriptProxy* nestedProxy = JavascriptOperators::TryFromVar<JavascriptProxy>(proxy->target);
+                if (nestedProxy == nullptr)
+                {
+                    break;
+                }
+
+                proxy = nestedProxy;
+            }
+
+            return proxy;
+        }
+
 #ifndef IsJsDiag
         RecyclableObject* GetTarget();
         RecyclableObject* GetHandler();

test/es6/ProxyInProxy.baseline

@@ -112,3 +112,5 @@ function
 *** proxied function and Function.prototype.toString.call
 function a() { }
 function a() { }
+*** deeply nested proxy and typeof
+pass

test/es6/ProxyInProxy.js

@@ -222,10 +222,27 @@ function test7() {
     // "function a() { }"
 }
 
+function test8() {
+    print("*** deeply nested proxy and typeof");
+
+    var nestedProxy = Proxy.revocable([], {}).proxy;
+    for (let i = 0; i < 1e5; i++) {
+        nestedProxy = new Proxy(nestedProxy, {});
+    }
+
+    (function () {
+        if (nestedProxy != null && typeof nestedProxy == "object")
+        {
+            console.log("pass");
+        }
+    })();
+}
+
 test1();
 test2();
 test3();
 test4();
 test5();
 test6();
 test7();
+test8();