Fix null pointer to proxy handler

fbmal7 · facebook-github-bot · commit d8ce9fccaf2f · 2023-07-11T16:54:12.000-07:00
Summary: Take a reference to the `handler` of the proxy before calling `findTrap`, as we currently do for `target`. This respects the spec, [10.5.8 [[Get]]](https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-get-p-receiver). According to spec, here is the ordering of events ``` 1. Perform ? ValidateNonRevokedProxy(O). 2. Let target be O.[[ProxyTarget]]. 3. Let handler be O.[[ProxyHandler]]. .... 7. Let trapResult be ? Call(trap, handler, « target, P, Receiver »). ``` So, the very first thing we must do is take a reference to `handler` once we have established we are not a revoked proxy. Then, this handler is used as a reference elsewhere in the code. Reviewed By: neildhar Differential Revision: D47347863 fbshipit-source-id: c067481f0e776e3adfda8ba99782188ca21b89fc
diff --git a/lib/VM/JSProxy.cpp b/lib/VM/JSProxy.cpp
@@ -944,8 +944,12 @@ CallResult<PseudoHandle<>> JSProxy::getNamed(
   if (LLVM_UNLIKELY(depthTracker.overflowed())) {
     return runtime.raiseStackOverflow(Runtime::StackOverflowKind::NativeStack);
   }
-  Handle<JSObject> target =
-      runtime.makeHandle(detail::slots(*selfHandle).target);
+  // Make sure to retrieve the target and handler before calling findTrap, as
+  // that may result in these fields being erased if the proxy is revoked in the
+  // handler.
+  auto &slots = detail::slots(*selfHandle);
+  Handle<JSObject> target = runtime.makeHandle(slots.target);
+  Handle<JSObject> handler = runtime.makeHandle(slots.handler);
   CallResult<Handle<Callable>> trapRes =
       detail::findTrap(selfHandle, runtime, Predefined::get);
   if (trapRes == ExecutionStatus::EXCEPTION) {
@@ -962,7 +966,7 @@ CallResult<PseudoHandle<>> JSProxy::getNamed(
                              runtime.getStringPrimFromSymbolID(name)))
                        : runtime.makeHandle(name),
       *trapRes,
-      runtime.makeHandle(detail::slots(*selfHandle).handler),
+      handler,
       target,
       receiver);
 }
diff --git a/test/hermes/regress-revocable-proxy.js b/test/hermes/regress-revocable-proxy.js
@@ -0,0 +1,21 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: %hermes -O %s | %FileCheck %s
+
+var handler = {
+    get get() {
+        revoke();
+        return ()=>{
+            gc();
+            return () => { print("complete"); }
+        };
+    }
+};
+let { proxy, revoke } = Proxy.revocable([], handler);
+proxy.prop();
+// CHECK: complete
