Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(790)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 9197045: Add reference graph scanner for finding mutability and host object leak bugs. (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
12 years, 10 months ago by kpreid2
Modified:
12 years, 10 months ago
Reviewers:
felix8a
CC:
google-caja-discuss_googlegroups.com
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

The scanner runs as a guest test and examines every object reachable by property and prototype traversal and invoking functions (based on hardcoded definitions of possible argument lists). It checks for: * Objects which are unfrozen and not specifically expected to be. * Objects which are from the host frame, including exceptions. * Domado taming constructors. * toString methods which do not return strings. Supporting changes: * browser-test-case.js exposes an interface to the guest to modify URL parameters. * jsunitFail is available to the guests and passes along a reason. * New directAccess facilities to eval in other frames. * A special case to extend the BrowserTestCase timeout for lack of progress, because the scanner does not quickly make progress as measured by number of not-yet-finished test cases. Possible future work which is NOT in this revision: * There is a test that toString methods are always non-enumerable, which has been disabled because there are many failures which ought to be fixed separately. * Meeting Domado taming constructors is an error, but this is a 'blacklist' strategy. Replace it with a 'whitelist' strategy which somehow is not excessively noisy about the myriad functions available. This is what innocuous() in Domado was introduced to support. (Or, use a blacklist based on inertCtor marking taming ctors as dangerous, which would be better than the current string-matching strategy.) * More coverage of mis-invoking methods. @r5411

Patch Set 1 #

Total comments: 32

Patch Set 2 : Add reference graph scanner for finding mutability and host object leak bugs. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+1832 lines, -10 lines) Patch
M build.xml View 1 1 chunk +3 lines, -0 lines 0 comments Download
M tests/com/google/caja/plugin/BrowserTestCase.java View 1 2 chunks +7 lines, -2 lines 0 comments Download
M tests/com/google/caja/plugin/CatalogTestCase.java View 1 1 chunk +1 line, -1 line 0 comments Download
M tests/com/google/caja/plugin/MainBrowserTest.java View 1 1 chunk +18 lines, -1 line 0 comments Download
M tests/com/google/caja/plugin/browser-test-case.js View 1 7 chunks +26 lines, -3 lines 0 comments Download
M tests/com/google/caja/plugin/browser-tests.json View 1 1 chunk +2 lines, -1 line 0 comments Download
A tests/com/google/caja/plugin/es53-test-scan-guest.html View 1 chunk +68 lines, -0 lines 0 comments Download
A tests/com/google/caja/plugin/es53-test-scan-guest.js View 1 1 chunk +1705 lines, -0 lines 0 comments Download
M tests/com/google/caja/plugin/jsunit.js View 1 1 chunk +2 lines, -2 lines 0 comments Download

Messages

Total messages: 4
kpreid2
12 years, 10 months ago (2013-05-16 22:51:56 UTC) #1
felix8a
lgtm++ https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es53-test-scan-guest.js File tests/com/google/caja/plugin/es53-test-scan-guest.js (right): https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es53-test-scan-guest.js#newcode14 tests/com/google/caja/plugin/es53-test-scan-guest.js:14: TODO, lint this and add @requires https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es53-test-scan-guest.js#newcode30 tests/com/google/caja/plugin/es53-test-scan-guest.js:30: ...
12 years, 10 months ago (2013-05-17 23:47:34 UTC) #2
kpreid2
The scanner runs as a guest test and examines every object reachable by property and ...
12 years, 10 months ago (2013-05-18 00:35:59 UTC) #3
kpreid2
12 years, 10 months ago (2013-05-18 00:36:53 UTC) #4 
New snapshot for the record, submitting.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
File tests/com/google/caja/plugin/es53-test-scan-guest.js (right):

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:14: 
On 2013/05/17 23:47:34, felix8a wrote:
> TODO, lint this and add @requires

Linted. Linter found an actual problem, too: the function invocation logic was
not always initializing 'thrown' (but instead the unused 'marker' variable, a
leftover).

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:30: function
simpleEval(env, expr) {
On 2013/05/17 23:47:34, felix8a wrote:
> simpleEval is a distracting name, it triggers my "eval needs extra attention"
> sensors, but this is only used for property lookup. maybe call it something
like
> "lookupValue" or "propertyValue"?
> 
> or are you intending to extend it with more eval forms later?

Well, it was invented as a kludge to work around the lack of eval. It's only
accidentally less powerful than eval, and I might well add function calls if I
later found I needed to refer to an object only available as
"someGlobal.getThing()" or "Object.getPrototypeOf(foo)" or some such.

I don't like the idea of renaming to be more specific because that implies there
is something meaningful about that more-specific concept.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:33: return simpleEval(env,
match[1])[match[2]];
On 2013/05/17 23:47:34, felix8a wrote:
> recursing from the right here seems odd to me, this can't become a tail-call.
> recursing from the left gets the same answer and can be a tail-call.

That recursion pattern doesn't work for eval and I want this to be a
straightforward implementation of part of eval.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:49: none: function none(c)
{},
On 2013/05/17 23:47:34, felix8a wrote:
> c -> callback

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:60: any: function
any(var_args) {
On 2013/05/17 23:47:34, felix8a wrote:
> either 'tupleg' is an odd name or 'any' is an odd name lacking a 'g' suffix. I
> think since all the generator functions except 'value' expect to recursively
> expand generators in their args, might as well omit the 'g' suffix in 'tupleg'
> and 'applyg'.

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:90: return function
GapplygGen(c) {
On 2013/05/17 23:47:34, felix8a wrote:
> c -> callback

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:100: return
G.applyg(function() {
On 2013/05/17 23:47:34, felix8a wrote:
> note var_args

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:131: if
(cajaVM.sharedImports) {
On 2013/05/17 23:47:34, felix8a wrote:
> this seems like a bad way of testing for es5.

So it is. Replaced with inES5Mode.

> es53 has a sharedImports, which is currently only on ___, but
> I don't see why we wouldn't want it also on cajaVM for regularity.

Neither do I, hence
https://code.google.com/p/google-caja/issues/detail?id=1719

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:156: } else if (m =
/^function (\w+)/.exec(
On 2013/05/17 23:47:34, felix8a wrote:
> add parens around assignment used as boolean
> maybe pattern should be ([\w$]+)

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:223: // Note identityGens
is an object-keyed map; doesn't need to be weak.
On 2013/05/17 23:47:34, felix8a wrote:
> what's identityGens?

Former name of identityTable. Comment rewritten.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:268: if (value =
identityTable.get(obj)) {
On 2013/05/17 23:47:34, felix8a wrote:
> add parens

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:416: } else if
(/^-?[0-9]+$/i.test(p)) {
On 2013/05/17 23:47:34, felix8a wrote:
> useless /i

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:588:
seenTable.set(o.prototype, globalName + '.prototype');
On 2013/05/17 23:47:34, felix8a wrote:
> o.prototype -> p

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:683: marker = ' thrown ';
On 2013/05/17 23:47:34, felix8a wrote:
> marker is set but not used

Done.

https://codereview.appspot.com/9197045/diff/1/tests/com/google/caja/plugin/es...
tests/com/google/caja/plugin/es53-test-scan-guest.js:690: var thrown;
On 2013/05/17 23:47:34, felix8a wrote:
> confusing location for var, move to function scope

Done. Note that thrown was not, but should have been, et in the places where the
unused 'marker' was.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b