Issue 606955 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	----
Closed:	May 2016
Cc:	rob@robwu.nl lazyboy@chromium.org
Components:	Platform>Extensions
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug
M-52

Extension APIs replace duplicate objects (in args) with null

Project Member Reported by rob@robwu.nl, Apr 26 2016

Issue description

Chrome version: 50.0.2661.75

Steps to reproduce:
1. Open the console in the context of an extension that uses the storage API (a content script is also good).
2. Run the following snippet
var v = {};
chrome.storage.local.set({x: [v, v]}, function() {
  chrome.storage.local.get('x', function(items) {
    console.log(items.x);
    chrome.storage.local.remove('x'); // Just to clean our mess.
  });
});
3. Look at the console output.

Expected result:
  [Object, Object]

Actual result:
  [Object, null]

More information:
This is caused by the naive counter-measure against circular references * in V8ValueConverterImpl ( bug 139933 ). It saves the identity of an object in a map, and skips objects that are in the map... A better way to counter circular references is to use depth-first-search and keep the duplicates on a stack.

* a circular reference is an object like this: v = {}; v.key = v;

Comment 1 by lazyboy@chromium.org, Apr 29 2016

Cc: rob@robwu.nl lazyboy@chromium.org
Status: Available (was: Untriaged)
Summary: Extension APIs replace duplicate objects (in args) with null (was: chrome.storage replaces duplicate objects with null)

Interesting, I bumped into this issue yesterday while working on https://bugs.chromium.org/p/chromium/issues/detail?id=574149, and ran into UpdateAndCheckUniqueness in V8ValueConverterImpl.

@rob, checking the uniqueness in current stack also seemed like a better way to handle this to me.

I'm going to reword the bug title to reflect that this can happen any any extension API and not just chrome.storage

Project Member

Comment 2 by bugdroid1@chromium.org, May 4 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38

commit 275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38
Author: lazyboy <lazyboy@chromium.org>
Date: Wed May 04 18:04:24 2016

Properly detect cycles in V8ValueConverter, current impl is too strict.

Currently, just reusing a value in extension API would null out the
second occurrence of that value. Ideally, we only need to null out
a value if it introduces a cycle.

Examples of cycle:
1) var v = {}, v = {key: v};
2) var a = [], a = [1, a];

However, these are not cycles and this CL will correctly detect
them as non-cycles:
1) var v = {}, w = {keyA: v, keyB: v};
2) var a = [], b = [a, a]

BUG= 606955 
Test=See steps in OP https://crbug.com/detail?id=606955

Review-Url: https://codereview.chromium.org/1939233002
Cr-Commit-Position: refs/heads/master@{#391559}

[modify] https://crrev.com/275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38/chrome/browser/extensions/api/declarative_content/declarative_content_apitest.cc
[modify] https://crrev.com/275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38/content/child/v8_value_converter_impl.cc
[modify] https://crrev.com/275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38/content/child/v8_value_converter_impl.h
[modify] https://crrev.com/275ec3e2a5ce1d16fc9c2a0dab3b58f8a7b9fa38/content/child/v8_value_converter_impl_unittest.cc

Comment 3 by rob@robwu.nl, May 9 2016

Labels: M-52
Status: Verified (was: Available)

Verified fixed in 52.0.2730.0

►

Issue 606955 link

Issue metadata

Extension APIs replace duplicate objects (in args) with null

Issue description

Comment 1 by lazyboy@chromium.org, Apr 29 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, May 4 2016

Comment 2 Deleted

Comment 3 by rob@robwu.nl, May 9 2016

Comment 3 Deleted

Sign in to add a comment