Skip to content

vm: avoid stack overflow on recursive accessor calls#4699

Open
Flamki wants to merge 2 commits intoboa-dev:mainfrom
Flamki:fix/getter-setter-recursion-4535
Open

vm: avoid stack overflow on recursive accessor calls#4699
Flamki wants to merge 2 commits intoboa-dev:mainfrom
Flamki:fix/getter-setter-recursion-4535

Conversation

@Flamki
Copy link

@Flamki Flamki commented Feb 23, 2026

This Pull Request fixes/closes #4535.

Summary

  • Track nested host-driven VM re-entry (JsObject::call / JsObject::construct) with a new Vm::host_call_depth counter.
  • Include host_call_depth in Context::check_runtime_limits() recursion checks so recursive accessor calls fail with RuntimeLimitError::Recursion instead of overflowing the native stack.
  • Unignore and strengthen the regression test in �m/tests.rs by exercising the async-generator hen getter recursion path with a higher recursion limit.

Notes

  • I could not run cargo in this environment (toolchain not available), so CI is expected to validate formatting, lint, and tests.

@github-actions
Copy link

github-actions bot commented Feb 23, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 52,862 52,862 0
Passed 49,497 49,504 +7
Ignored 2,261 2,262 +1
Failed 1,104 1,096 -8
Panics 0 0 0
Conformance 93.63% 93.65% +0.01%
Fixed tests (8): 
test/staging/sm/RegExp/unicode-raw.js (previously Failed)
test/staging/sm/RegExp/unicode-class-raw.js (previously Failed)
test/built-ins/String/prototype/replace/regexp-prototype-replace-v-u-flag.js (previously Failed)
test/built-ins/String/prototype/matchAll/regexp-prototype-matchAll-v-u-flag.js (previously Failed)
test/built-ins/String/prototype/search/regexp-prototype-search-v-flag.js (previously Failed)
test/built-ins/String/prototype/search/regexp-prototype-search-v-u-flag.js (previously Failed)
test/built-ins/String/prototype/match/regexp-prototype-match-v-u-flag.js (previously Failed)
test/built-ins/RegExp/prototype/exec/regexp-builtin-exec-v-u-flag.js (previously Failed)

@Flamki Flamki force-pushed the fix/getter-setter-recursion-4535 branch from 430081c to 9966682 Compare February 25, 2026 06:48
@Flamki
Copy link
Author

Flamki commented Feb 25, 2026

Follow-up hardening pushed in 9966682.

What I changed:

  • Rebased branch on latest main.

  • Added a dedicated regression test for recursive setters:

ecursion_in_setter_throws_uncatchable_error

  • asserts RuntimeLimitError::Recursion for set x(v) { this.x = v; } recursion.

This complements the existing async-generator getter regression and ensures both accessor call directions are covered by runtime-limit behavior.

@jedel1043
Copy link
Member

jedel1043 commented Feb 26, 2026

I'd suggest measuring the performance impact of this change, because keeping track of recursive native calls sounds like it could be detrimental for perf. You can use https://github.com/boa-dev/data/blob/main/bench/bench-v8/combined.js for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Getters and setters can cause stack overflows

2 participants

@Flamki @jedel1043