Explicitly check for revoked proxy in order to provide a better error message.

woess · woess · commit 60dd1e59dceb · 2020-04-02T17:43:09.000+02:00
diff --git a/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyCallNode.java b/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyCallNode.java
@@ -45,6 +45,7 @@
 import com.oracle.truffle.api.nodes.NodeCost;
 import com.oracle.truffle.api.nodes.NodeInfo;
 import com.oracle.truffle.api.object.DynamicObject;
+import com.oracle.truffle.api.profiles.BranchProfile;
 import com.oracle.truffle.api.profiles.ConditionProfile;
 import com.oracle.truffle.js.nodes.JavaScriptBaseNode;
 import com.oracle.truffle.js.nodes.function.JSFunctionCallNode;
@@ -69,8 +70,8 @@ public abstract class JSProxyCallNode extends JavaScriptBaseNode {
     @Child private JSFunctionCallNode callTrapNode;
     protected final boolean isNew;
     protected final boolean isNewTarget;
-    private final ConditionProfile callableProfile = ConditionProfile.createBinaryProfile();
     private final ConditionProfile pxTrapFunProfile = ConditionProfile.createBinaryProfile();
+    private final BranchProfile errorBranch = BranchProfile.create();
 
     protected JSProxyCallNode(JSContext context, boolean isNew, boolean isNewTarget) {
         this.callNode = isNewTarget ? JSFunctionCallNode.createNewTarget() : isNew ? JSFunctionCallNode.createNew() : JSFunctionCallNode.createCall();
@@ -97,10 +98,11 @@ protected Object doCall(Object[] arguments) {
         assert JSProxy.isProxy(function);
         DynamicObject proxy = (DynamicObject) function;
 
-        if (!callableProfile.profile(JSRuntime.isCallableProxy(proxy))) {
+        if (!JSRuntime.isCallableProxy(proxy)) {
+            errorBranch.enter();
             throw Errors.createTypeErrorNotAFunction(function, this);
         } else {
-            DynamicObject pxHandler = JSProxy.getHandlerChecked(proxy);
+            DynamicObject pxHandler = JSProxy.getHandlerChecked(proxy, errorBranch);
             Object pxTarget = JSProxy.getTarget(proxy);
             Object pxTrapFun = trapGetter.executeWithTarget(pxHandler);
             Object[] proxyArguments = JSArguments.extractUserArguments(arguments);
@@ -121,10 +123,11 @@ protected Object doConstruct(Object[] arguments) {
         assert JSProxy.isProxy(function);
         DynamicObject proxy = (DynamicObject) function;
 
-        if (!callableProfile.profile(JSRuntime.isConstructorProxy(proxy))) {
+        if (!JSRuntime.isConstructorProxy(proxy)) {
+            errorBranch.enter();
             throw Errors.createTypeErrorNotAFunction(function, this);
         } else {
-            DynamicObject pxHandler = JSProxy.getHandlerChecked(proxy);
+            DynamicObject pxHandler = JSProxy.getHandlerChecked(proxy, errorBranch);
             Object pxTarget = JSProxy.getTarget(proxy);
             Object pxTrapFun = trapGetter.executeWithTarget(pxHandler);
             Object newTarget = isNewTarget ? JSArguments.getNewTarget(arguments) : proxy;
@@ -133,12 +136,14 @@ protected Object doConstruct(Object[] arguments) {
                 if (!JSObject.isJSObject(pxTarget)) {
                     return JSInteropUtil.construct(pxTarget, constructorArguments);
                 }
-                return callNode.executeCall(isNewTarget ? JSArguments.createWithNewTarget(JSFunction.CONSTRUCT, pxTarget, newTarget, constructorArguments)
+                return callNode.executeCall(isNewTarget
+                                ? JSArguments.createWithNewTarget(JSFunction.CONSTRUCT, pxTarget, newTarget, constructorArguments)
                                 : JSArguments.create(JSFunction.CONSTRUCT, pxTarget, constructorArguments));
             }
             Object[] trapArgs = new Object[]{pxTarget, JSArray.createConstant(context, constructorArguments), newTarget};
             Object result = callTrapNode.executeCall(JSArguments.create(pxHandler, pxTrapFun, trapArgs));
             if (!JSRuntime.isObject(result)) {
+                errorBranch.enter();
                 throw Errors.createTypeErrorNotAnObject(result, this);
             }
             return result;
diff --git a/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyHasPropertyNode.java b/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyHasPropertyNode.java
@@ -46,6 +46,7 @@
 import com.oracle.truffle.api.nodes.NodeCost;
 import com.oracle.truffle.api.nodes.NodeInfo;
 import com.oracle.truffle.api.object.DynamicObject;
+import com.oracle.truffle.api.profiles.BranchProfile;
 import com.oracle.truffle.api.profiles.ConditionProfile;
 import com.oracle.truffle.js.nodes.JavaScriptBaseNode;
 import com.oracle.truffle.js.nodes.cast.JSToBooleanNode;
@@ -67,6 +68,7 @@ public abstract class JSProxyHasPropertyNode extends JavaScriptBaseNode {
     @Child private JSFunctionCallNode callNode;
     @Child private JSToBooleanNode toBooleanNode;
     @Child private JSToPropertyKeyNode toPropertyKeyNode;
+    private final BranchProfile errorBranch = BranchProfile.create();
 
     public JSProxyHasPropertyNode(JSContext context) {
         this.callNode = JSFunctionCallNode.createCall();
@@ -81,19 +83,13 @@ public static JSProxyHasPropertyNode create(JSContext context) {
 
     public abstract boolean executeWithTargetAndKeyBoolean(Object shared, Object key);
 
-    private void checkTrapResult(boolean accessible, boolean trapResult) {
-        if (!accessible && !trapResult) {
-            throw Errors.createTypeError("Proxy can't successfully access a non-writable, non-configurable property", this);
-        }
-    }
-
     @Specialization
     protected boolean doGeneric(DynamicObject proxy, Object key,
                     @Cached("createBinaryProfile()") ConditionProfile trapFunProfile) {
         assert JSProxy.isProxy(proxy);
         Object propertyKey = toPropertyKeyNode.execute(key);
+        DynamicObject handler = JSProxy.getHandlerChecked(proxy, errorBranch);
         Object target = JSProxy.getTarget(proxy);
-        DynamicObject handler = JSProxy.getHandler(proxy);
         Object trapFun = trapGetter.executeWithTarget(handler);
         if (trapFunProfile.profile(trapFun == Undefined.instance)) {
             if (JSObject.isJSObject(target)) {
@@ -104,8 +100,12 @@ protected boolean doGeneric(DynamicObject proxy, Object key,
         } else {
             Object callResult = callNode.executeCall(JSArguments.create(handler, trapFun, target, propertyKey));
             boolean trapResult = toBooleanNode.executeBoolean(callResult);
-            boolean accessible = JSProxy.checkPropertyIsSettable(target, propertyKey);
-            checkTrapResult(accessible, trapResult);
+            if (!trapResult) {
+                errorBranch.enter();
+                if (!JSProxy.checkPropertyIsSettable(target, propertyKey)) {
+                    throw Errors.createTypeError("Proxy can't successfully access a non-writable, non-configurable property", this);
+                }
+            }
             return trapResult;
         }
     }
diff --git a/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyPropertyGetNode.java b/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyPropertyGetNode.java
@@ -69,7 +69,6 @@ public abstract class JSProxyPropertyGetNode extends JavaScriptBaseNode {
 
     @Child protected GetMethodNode trapGet;
     @Child private JSFunctionCallNode callNode;
-    @Child private JSToPropertyKeyNode toPropertyKeyNode;
     @Child private JSGetOwnPropertyNode getOwnPropertyNode;
     @Child private JSIdenticalNode sameValueNode;
     private final BranchProfile errorBranch = BranchProfile.create();
@@ -87,12 +86,13 @@ public static JSProxyPropertyGetNode create(JSContext context) {
 
     @Specialization
     protected Object doGeneric(DynamicObject proxy, Object receiver, Object key,
+                    @Cached JSToPropertyKeyNode toPropertyKeyNode,
                     @Cached("createBinaryProfile()") ConditionProfile hasTrap,
                     @Cached JSClassProfile targetClassProfile) {
         assert JSProxy.isProxy(proxy);
         assert !(key instanceof HiddenKey);
-        Object propertyKey = toPropertyKey(key);
-        DynamicObject handler = JSProxy.getHandler(proxy);
+        Object propertyKey = toPropertyKeyNode.execute(key);
+        DynamicObject handler = JSProxy.getHandlerChecked(proxy, errorBranch);
         Object target = JSProxy.getTarget(proxy);
         Object trapFun = trapGet.executeWithTarget(handler);
         if (hasTrap.profile(trapFun == Undefined.instance)) {
@@ -145,12 +145,4 @@ private PropertyDescriptor getOwnProperty(DynamicObject target, Object propertyK
         }
         return getOwnPropertyNode.execute(target, propertyKey);
     }
-
-    private Object toPropertyKey(Object key) {
-        if (toPropertyKeyNode == null) {
-            CompilerDirectives.transferToInterpreterAndInvalidate();
-            toPropertyKeyNode = insert(JSToPropertyKeyNode.create());
-        }
-        return toPropertyKeyNode.execute(key);
-    }
 }
diff --git a/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyPropertySetNode.java b/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/JSProxyPropertySetNode.java
@@ -48,6 +48,7 @@
 import com.oracle.truffle.api.nodes.NodeInfo;
 import com.oracle.truffle.api.object.DynamicObject;
 import com.oracle.truffle.api.object.HiddenKey;
+import com.oracle.truffle.api.profiles.BranchProfile;
 import com.oracle.truffle.api.profiles.ConditionProfile;
 import com.oracle.truffle.js.nodes.JavaScriptBaseNode;
 import com.oracle.truffle.js.nodes.cast.JSToBooleanNode;
@@ -74,6 +75,7 @@ public abstract class JSProxyPropertySetNode extends JavaScriptBaseNode {
     @Child private JSToPropertyKeyNode toPropertyKeyNode;
     @Child private InteropLibrary interopNode;
     @Child private ExportValueNode exportValueNode;
+    private final BranchProfile errorBranch = BranchProfile.create();
 
     protected JSProxyPropertySetNode(JSContext context, boolean isStrict) {
         this.call = JSFunctionCallNode.createCall();
@@ -97,7 +99,7 @@ protected boolean doGeneric(DynamicObject proxy, Object receiver, Object value,
         assert JSProxy.isProxy(proxy);
         assert !(key instanceof HiddenKey);
         Object propertyKey = toPropertyKey(key);
-        DynamicObject handler = JSProxy.getHandler(proxy);
+        DynamicObject handler = JSProxy.getHandlerChecked(proxy, errorBranch);
         Object target = JSProxy.getTarget(proxy);
         Object trapFun = trapGet.executeWithTarget(handler);
         if (hasTrap.profile(trapFun == Undefined.instance)) {
@@ -111,6 +113,7 @@ protected boolean doGeneric(DynamicObject proxy, Object receiver, Object value,
         Object trapResult = call.executeCall(JSArguments.create(handler, trapFun, target, propertyKey, value, receiver));
         boolean booleanTrapResult = toBoolean.executeBoolean(trapResult);
         if (!booleanTrapResult) {
+            errorBranch.enter();
             if (isStrict) {
                 throw Errors.createTypeErrorTrapReturnedFalsish(JSProxy.SET, propertyKey);
             } else {
diff --git a/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/runtime/builtins/JSProxy.java b/graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/runtime/builtins/JSProxy.java
@@ -50,6 +50,7 @@
 import com.oracle.truffle.api.object.HiddenKey;
 import com.oracle.truffle.api.object.Property;
 import com.oracle.truffle.api.object.Shape;
+import com.oracle.truffle.api.profiles.BranchProfile;
 import com.oracle.truffle.js.builtins.ConstructorBuiltins;
 import com.oracle.truffle.js.builtins.ProxyFunctionBuiltins;
 import com.oracle.truffle.js.runtime.Boundaries;
@@ -104,15 +105,6 @@ public final class JSProxy extends AbstractJSClass implements PrototypeSupplier
         PROXY_HANDLER_PROPERTY = JSObjectUtil.makeHiddenProperty(PROXY_HANDLER, allocator.locationForType(DynamicObject.class));
     }
 
-    public static boolean isAccessibleProperty(DynamicObject proxy, Object key) {
-        Object target = JSProxy.getTarget(proxy);
-        if (JSObject.isJSObject(target)) {
-            return checkPropertyIsSettable(target, key);
-        } else {
-            return true; // best guess
-        }
-    }
-
     public static boolean checkPropertyIsSettable(Object truffleTarget, Object key) {
         assert JSRuntime.isPropertyKey(key);
         if (!JSObject.isJSObject(truffleTarget)) {
@@ -176,7 +168,16 @@ public static DynamicObject getHandler(DynamicObject obj) {
     public static DynamicObject getHandlerChecked(DynamicObject obj) {
         DynamicObject handler = getHandler(obj);
         if (handler == Null.instance) {
-            throw Errors.createTypeError("proxy handler must not be null");
+            throw Errors.createTypeErrorProxyRevoked();
+        }
+        return handler;
+    }
+
+    public static DynamicObject getHandlerChecked(DynamicObject obj, BranchProfile errorBranch) {
+        DynamicObject handler = getHandler(obj);
+        if (handler == Null.instance) {
+            errorBranch.enter();
+            throw Errors.createTypeErrorProxyRevoked();
         }
         return handler;
     }
@@ -222,7 +223,7 @@ public Object getOwnHelper(DynamicObject store, Object receiver, long index) {
     @TruffleBoundary
     private static Object proxyGetHelper(DynamicObject proxy, Object key, Object receiver) {
         assert JSRuntime.isPropertyKey(key);
-        DynamicObject handler = getHandler(proxy);
+        DynamicObject handler = getHandlerChecked(proxy);
         Object target = getTarget(proxy);
         Object trap = getTrapFromObject(handler, GET);
         if (trap == Undefined.instance) {
@@ -276,7 +277,7 @@ public boolean set(DynamicObject thisObj, long index, Object value, Object recei
     @TruffleBoundary
     private static boolean proxySet(DynamicObject thisObj, Object key, Object value, Object receiver, boolean isStrict) {
         assert JSRuntime.isPropertyKey(key);
-        DynamicObject handler = getHandler(thisObj);
+        DynamicObject handler = getHandlerChecked(thisObj);
         Object target = getTarget(thisObj);
         Object trap = getTrapFromObject(handler, SET);
         if (trap == Undefined.instance) {
@@ -348,7 +349,7 @@ public boolean hasProperty(DynamicObject thisObj, long index) {
     @Override
     public boolean hasProperty(DynamicObject thisObj, Object key) {
         assert JSRuntime.isPropertyKey(key);
-        DynamicObject handler = getHandler(thisObj);
+        DynamicObject handler = getHandlerChecked(thisObj);
         Object target = getTarget(thisObj);
         Object trap = getTrapFromObject(handler, HAS);
         if (trap == Undefined.instance) {
@@ -360,8 +361,10 @@ public boolean hasProperty(DynamicObject thisObj, Object key) {
         }
 
         boolean trapResult = JSRuntime.toBoolean(JSRuntime.call(trap, handler, new Object[]{target, key}));
-        if (!trapResult && !isAccessibleProperty(thisObj, key)) {
-            throw Errors.createTypeErrorConfigurableExpected();
+        if (!trapResult) {
+            if (!JSProxy.checkPropertyIsSettable(target, key)) {
+                throw Errors.createTypeErrorConfigurableExpected();
+            }
         }
         return trapResult;
     }
