rusty_racer 0.1.9 → 0.1.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8bae20d8fe811c8b1e9b171fe272d6481934d7fa2b1fbe978846605dd51e76d4
-  data.tar.gz: fa35ae7940c34c6c6ff54af93178b4f94200033c2a3fa4ca37f8e878bed829c3
+  metadata.gz: 7df2aeec586e04d155d2635f6df9b51e219b31108fad5829e7a5ed5eb8a784a3
+  data.tar.gz: '099e1e39f64e041d082fb86269ae4265406e4f05279e3d24909a9e6f4fa89de0'
 SHA512:
-  metadata.gz: 8b98d2be3c82bf39d69dc5d3389927a1fd5872f8ace99028da3f9ffd5116464b17d8a2c05f932039f2da0a769599d22b5f870a01ac35b8ade7b8d263ae5f3c80
-  data.tar.gz: 3391fb308a736f925d56d34cfb649a262a2d9c58f8227bd28706f4da8f366aaebad779510203a57f2e7eb1507888100eb578400318addafbbbb9c4a004d69ca9
+  metadata.gz: 5d8f2b15aca012b8c3933b960009e1d248cf2284774eff23c4740688796dfff97d4fe647fc0792f68e70fe4a66aa4fb4cdb7869451a82fac625178f57b8f56d2
+  data.tar.gz: c66d30a7c1bfd8d00f62c7ee99e6356f1f9f6c4a8aeebab9e05552a945c51d54f4dd31f3787fa95bd60e425e1dae3240fdb90186c9c2bb87a7b945a0b55b06cd

data/ext/rusty_racer/Cargo.toml

@@ -4,7 +4,7 @@
 # libv8-rusty needed under the cibuildgem native-per-platform model).
 [package]
 name = "rusty_racer"
-version = "0.1.9"
+version = "0.1.10"
 edition = "2021"
 publish = false
 

data/ext/rusty_racer/src/lib.rs

@@ -629,6 +629,12 @@ struct IsolateState {
     // platform-derived default, whose value we don't otherwise know — so we restore
     // to this captured initial instead. 0 until the callback has fired at least once.
     oom_initial_limit: usize,
+    // The JS stack captured at a watchdog timeout: when a deadline fires, the
+    // watchdog requests an interrupt that runs on THIS thread with JS still live
+    // (see timeout_interrupt) and snapshots the stack here BEFORE terminating, so
+    // the ScriptTerminatedError can name what was running. Taken (cleared) when the
+    // terminated op's error is built; None for any non-timeout outcome.
+    timeout_backtrace: Option<Vec<String>>,
 }
 
 impl IsolateState {
@@ -652,6 +658,7 @@ impl IsolateState {
             watchdog: WatchdogShared::new(),
             oom_fired: false,
             oom_initial_limit: 0,
+            timeout_backtrace: None,
         }
     }
 }
@@ -1972,6 +1979,10 @@ impl Isolate {
         // Registered unconditionally — with memory_limit it guards that ceiling,
         // without one it guards V8's default ceiling (catchable, not a process abort).
         boxed.add_near_heap_limit_callback(near_heap_limit_cb, iso_ptr.0 as *mut c_void);
+        // Wire the watchdog's interrupt target now that iso_ptr is stable: on a
+        // timeout the loop requests an interrupt against this ptr to capture the JS
+        // stack on the isolate thread before terminating (see timeout_interrupt).
+        watchdog.set_iso_ptr(iso_ptr.0 as *mut c_void);
         let iso_id = NEXT_ISOLATE_ID.fetch_add(1, Ordering::SeqCst);
         isolates().lock().unwrap().insert(iso_id, SendIso(boxed));
         // Root the owner Thread VALUE so its address can't be reused while this
@@ -2049,6 +2060,16 @@ impl Core {
         self.ensure_owner_and_live(ruby)?;
         let iso = self.iso_ptr.0;
         let depth = self.depth.fetch_add(1, Ordering::SeqCst);
+        // Drop any prior timeout's captured stack at the START of an OUTERMOST op,
+        // so it can't leak onto this op's error. Cleared only at depth 0 (not for
+        // nested ops) on purpose: a nested timeout's terminate is isolate-global
+        // and tears down the whole op stack, so EVERY frame's error (nested and the
+        // escalated outer one) should surface the same culprit — reply_value peeks
+        // (clones) rather than takes, leaving it readable for the outer frame until
+        // the next outermost op clears it here.
+        if depth == 0 {
+            istate!(unsafe { &mut *iso }).timeout_backtrace = None;
+        }
         // EVERYTHING that touches V8 — enter, the scope, the JS run, the scope
         // drop, exit — happens inside ONE without_gvl, hence on ONE native thread
         // with no GVL boundary in between: M:N could otherwise migrate us to a
@@ -2196,9 +2217,18 @@ impl Core {
     }
 
     // Map a terminal reply to a Ruby value (the common eval/call/run shape).
-    fn reply_value(ruby: &Ruby, reply: VmReply) -> Result<Value, Error> {
+    // &self so a Terminated outcome can pick up the JS stack the watchdog snapshot
+    // captured (see timeout_interrupt / take_timeout_backtrace).
+    fn reply_value(&self, ruby: &Ruby, reply: VmReply) -> Result<Value, Error> {
         match reply {
             VmReply::Done(Ok(val)) => jsval_to_ruby(ruby, &val),
+            // Clone (don't take): a nested timeout's terminate unwinds the whole op
+            // stack, so the escalated outer frame's error should name the same
+            // culprit too. The capture is dropped at the next outermost op's start
+            // (run), which keeps it from leaking onto an unrelated later op.
+            VmReply::Done(Err(VmError::Terminated)) => {
+                Err(terminated_error(ruby, self.peek_timeout_backtrace()))
+            }
             VmReply::Done(Err(e)) => Err(vm_err(ruby, e)),
             _ => Err(Error::new(
                 ruby.exception_runtime_error(),
@@ -2207,6 +2237,14 @@ impl Core {
         }
     }
 
+    // Clone the JS stack the watchdog's interrupt captured at the last timeout.
+    // Owner thread, isolate live — called right after run() returns, the same
+    // access pattern as swap_instantiate. Does NOT clear it (run() clears at the
+    // next outermost op) so a nested timeout's outer frame can read it too.
+    fn peek_timeout_backtrace(&self) -> Option<Vec<String>> {
+        istate!(unsafe { &mut *self.iso_ptr.0 }).timeout_backtrace.clone()
+    }
+
     fn call_proc(
         &self,
         ruby: &Ruby,
@@ -2268,14 +2306,14 @@ impl Core {
             void,
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn drain_microtasks(&self, ruby: &Ruby) -> Result<Value, Error> {
         let reply = self.run(ruby, Request::DrainMicrotasks {
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     // Isolate#heap_statistics -> a Symbol-keyed Hash of v8::HeapStatistics
@@ -2303,7 +2341,7 @@ impl Core {
     // Isolate#low_memory_notification: ask V8 to run a full GC now.
     fn low_memory_notification(&self, ruby: &Ruby) -> Result<(), Error> {
         let reply = self.run(ruby, Request::LowMemoryNotification)?;
-        Self::reply_value(ruby, reply)?;
+        self.reply_value(ruby, reply)?;
         Ok(())
     }
 
@@ -2321,7 +2359,7 @@ impl Core {
             filename,
             timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn attach(&self, ruby: &Ruby, context_id: i32, name: String, proc: Proc) -> Result<Value, Error> {
@@ -2335,7 +2373,7 @@ impl Core {
             host_fn_id,
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     // attach_many: install several host fns in ONE round-trip to the V8 thread
@@ -2367,7 +2405,7 @@ impl Core {
             entries: named_ids,
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     // Release the GC roots of the procs attached into |context_id| — its
@@ -2381,7 +2419,7 @@ impl Core {
 
     fn reset(&self, ruby: &Ruby, context_id: i32) -> Result<Value, Error> {
         let reply = self.run(ruby, Request::Reset { context_id })?;
-        let out = Self::reply_value(ruby, reply)?;
+        let out = self.reply_value(ruby, reply)?;
         // Only on success — a refused reset (unknown/suspended realm) keeps
         // its attached fns callable.
         self.release_context_procs(context_id);
@@ -2391,13 +2429,13 @@ impl Core {
     // Build a new context; returns its id (replied as an Int).
     fn create_context(&self, ruby: &Ruby) -> Result<i32, Error> {
         let reply = self.run(ruby, Request::CreateContext)?;
-        let id = Self::reply_value(ruby, reply)?;
+        let id = self.reply_value(ruby, reply)?;
         i32::try_convert(id)
     }
 
     fn dispose_context(&self, ruby: &Ruby, context_id: i32) -> Result<(), Error> {
         let reply = self.run(ruby, Request::DisposeContext { context_id })?;
-        Self::reply_value(ruby, reply)?;
+        self.reply_value(ruby, reply)?;
         self.release_context_procs(context_id);
         Ok(())
     }
@@ -2470,7 +2508,7 @@ impl Core {
         if let Some(exc) = resolver_err {
             return Err(Error::from(*exc));
         }
-        Self::reply_value(ruby, reply?)
+        self.reply_value(ruby, reply?)
     }
 
     fn evaluate_module(&self, ruby: &Ruby, module_id: i32) -> Result<Value, Error> {
@@ -2478,22 +2516,22 @@ impl Core {
             module_id,
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn module_namespace(&self, ruby: &Ruby, module_id: i32) -> Result<Value, Error> {
         let reply = self.run(ruby, Request::ModuleNamespace { module_id })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn module_status(&self, ruby: &Ruby, module_id: i32) -> Result<Value, Error> {
         let reply = self.run(ruby, Request::ModuleStatus { module_id })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn dispose_module(&self, ruby: &Ruby, module_id: i32) -> Result<(), Error> {
         let reply = self.run(ruby, Request::DisposeModule { module_id })?;
-        Self::reply_value(ruby, reply).map(|_| ())
+        self.reply_value(ruby, reply).map(|_| ())
     }
 
     // Classic script: compile, run, dispose.
@@ -2531,12 +2569,12 @@ impl Core {
             script_id,
             timeout_ms: self.default_timeout_ms,
         })?;
-        Self::reply_value(ruby, reply)
+        self.reply_value(ruby, reply)
     }
 
     fn dispose_script(&self, ruby: &Ruby, script_id: i32) -> Result<(), Error> {
         let reply = self.run(ruby, Request::DisposeScript { script_id })?;
-        Self::reply_value(ruby, reply).map(|_| ())
+        self.reply_value(ruby, reply).map(|_| ())
     }
 
     // Serialize a fresh bytecode cache from a compiled handle's current state
@@ -3088,6 +3126,36 @@ fn vm_err(ruby: &Ruby, e: VmError) -> Error {
     }
 }
 
+// Build a RustyRacer::ScriptTerminatedError, attaching the JS stack the watchdog
+// snapshotted at the timeout (top frame first) as both #js_backtrace and — when
+// non-empty — the exception's Ruby backtrace, plus the top frame in the message
+// so even plain logging names what was running. js_backtrace is None for a stop
+// that isn't a watchdog timeout (e.g. Isolate#terminate), where no stack was
+// captured; then #js_backtrace is [] and the Ruby backtrace is left intact.
+fn terminated_error(ruby: &Ruby, js_backtrace: Option<Vec<String>>) -> Error {
+    let class = err_class(ruby, "ScriptTerminatedError");
+    let frames = js_backtrace.unwrap_or_default();
+    let message = match frames.first() {
+        Some(top) => format!("JavaScript was terminated (timeout or stop); running: {top}"),
+        None => "JavaScript was terminated (timeout or stop)".to_string(),
+    };
+    let exc: Value = match class.funcall("new", (message.as_str(),)) {
+        Ok(v) => v,
+        Err(e) => return e,
+    };
+    // Always expose #js_backtrace (even []) so the accessor is never nil.
+    let _ = exc.funcall::<_, _, Value>("instance_variable_set", ("@js_backtrace", frames.clone()));
+    // Only override the Ruby backtrace when we actually have JS frames — for a
+    // bare stop, keep Ruby's own backtrace (the eval call site) instead of [].
+    if !frames.is_empty() {
+        let _ = exc.funcall::<_, _, Value>("set_backtrace", (frames,));
+    }
+    match magnus::Exception::from_value(exc) {
+        Some(e) => Error::from(e),
+        None => Error::new(class, message),
+    }
+}
+
 // Build a RustyRacer::RuntimeError carrying the JS stack as its Ruby backtrace.
 // Constructs the exception instance so we can set_backtrace before raising;
 // falls back to a plain Error if any of that fails.

data/ext/rusty_racer/src/watchdog.rs

@@ -12,13 +12,22 @@
 // op handlers and isolate setup (still in lib.rs) call them;
 // report_watchdog_anomaly is private to this module.
 
-use std::sync::atomic::{AtomicBool, Ordering};
+use std::ffi::c_void;
+use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
 use std::sync::{Arc, Condvar, Mutex};
 use std::time::{Duration, Instant};
 
 use crate::istate;
 use crate::{IsolateState, JsVal, VmError};
 
+// Top N JS frames captured at a timeout — enough to name the culprit without
+// walking a pathological deep stack.
+const MAX_TIMEOUT_FRAMES: usize = 32;
+// Per-frame string cap. Function names and (especially) script URLs are
+// attacker-controlled JS and can be arbitrarily long (a multi-KB data: URL);
+// cap each so a runaway can't bloat the error message / backtrace.
+const MAX_FRAME_NAME: usize = 256;
+
 // The watchdog runs on ONE persistent thread per isolate rather than a fresh
 // std::thread per request: spawning + joining a thread on every op cost ~16µs
 // (5.5x) when a timeout was set, dwarfing the actual work. The thread sleeps on
@@ -27,6 +36,11 @@ use crate::{IsolateState, JsVal, VmError};
 pub(crate) struct WatchdogShared {
     inner: Mutex<WatchdogInner>,
     cv: Condvar,
+    // The owning isolate's raw `*mut v8::Isolate` as a usize (0 until wired up by
+    // set_iso_ptr, right after the isolate is boxed). The loop needs it to address
+    // the RequestInterrupt callback's `data` at fire time; kept as an atomic
+    // (outside the Mutex) so the loop reads it without serialising on arm/disarm.
+    iso_ptr: AtomicUsize,
 }
 
 impl WatchdogShared {
@@ -40,9 +54,17 @@ impl WatchdogShared {
                 shutdown: false,
             }),
             cv: Condvar::new(),
+            iso_ptr: AtomicUsize::new(0),
         })
     }
 
+    // Wire up the isolate pointer once it is stable (after the OwnedIsolate is
+    // boxed). Called before any op can arm a deadline, so the loop always sees it
+    // set by the time it could fire.
+    pub(crate) fn set_iso_ptr(&self, iso_ptr: *mut std::ffi::c_void) {
+        self.iso_ptr.store(iso_ptr as usize, Ordering::Relaxed);
+    }
+
     // Signal the loop to stop and wake it. Called once at isolate teardown,
     // before the isolate is touched, so the loop can't fire a terminate into an
     // isolate we're mid-disposing.
@@ -94,8 +116,21 @@ pub(crate) fn watchdog_loop(shared: Arc<WatchdogShared>, handle: v8::IsolateHand
             Some(frame) => {
                 let now = Instant::now();
                 if now >= frame.deadline {
-                    handle.terminate_execution();
                     inner.fired_generation = Some(frame.generation);
+                    // Don't terminate directly: request an interrupt so the stack
+                    // is captured on the isolate thread (with JS live) before the
+                    // terminate — see timeout_interrupt. fired_generation is set
+                    // FIRST and we still hold `inner`, so the callback (which locks
+                    // `inner` to read it) can't run until we release, and will see
+                    // it set. Fall back to a direct terminate if the isolate ptr
+                    // isn't wired yet (can't happen once an op has armed) — never
+                    // leave a runaway un-terminated.
+                    let iso = shared.iso_ptr.load(Ordering::Relaxed);
+                    if iso != 0 {
+                        handle.request_interrupt(timeout_interrupt, iso as *mut c_void);
+                    } else {
+                        handle.terminate_execution();
+                    }
                     // Drop the fired frame so the loop moves on to the next
                     // deadline instead of re-firing this one every wakeup.
                     inner.frames.retain(|f| f.generation != frame.generation);
@@ -110,6 +145,92 @@ pub(crate) fn watchdog_loop(shared: Arc<WatchdogShared>, handle: v8::IsolateHand
 
 // (The watchdog Arc now lives in IsolateState; arm/disarm reach it via istate!.)
 
+// The RequestInterrupt callback the watchdog fires when a deadline passes. It
+// runs on the ISOLATE thread with the runaway JS still on the stack, so it can
+// snapshot the stack BEFORE TerminateExecution unwinds it. `data` is the
+// `*mut v8::Isolate` (the same pointer near_heap_limit_cb uses); the
+// UnsafeRawIsolatePtr arg is ignored.
+//
+// GUARDED by fired_generation: a RequestInterrupt callback can't be cancelled, so
+// one still pending after its op already disarmed must NOT capture+terminate the
+// NEXT op. It acts only while some fired deadline is still awaiting its terminate
+// (fired_generation set) — which is exactly when a terminate is warranted, for
+// whatever op is currently on the stack.
+unsafe extern "C" fn timeout_interrupt(_isolate: v8::UnsafeRawIsolatePtr, data: *mut c_void) {
+    let isolate = unsafe { &mut *(data as *mut v8::Isolate) };
+    let pending = isolate
+        .get_slot::<IsolateState>()
+        .map(|s| s.watchdog.inner.lock().unwrap().fired_generation.is_some())
+        .unwrap_or(false);
+    if !pending {
+        return;
+    }
+    // Enter SOME realm (the main one — always present) just to get a
+    // context-typed scope, which StackTrace::current_stack_trace requires.
+    // CurrentStackTrace reads the ISOLATE's running stack regardless of which
+    // realm is entered, so this captures the real runaway frames even if they're
+    // in another realm. Capture, stash for the unwinding op's error, THEN
+    // terminate (so the stack is still live when we snapshot it).
+    v8::scope!(let scope, isolate);
+    let Some(main) = istate!(scope).realms.main_context.clone() else {
+        scope.terminate_execution();
+        return;
+    };
+    let context = v8::Local::new(scope, &main);
+    let scope = &mut v8::ContextScope::new(scope, context);
+    let frames = capture_js_backtrace(scope, MAX_TIMEOUT_FRAMES);
+    istate!(scope).timeout_backtrace = Some(frames);
+    scope.terminate_execution();
+}
+
+// Snapshot up to |max_frames| of the current JS stack as "func (script:line:col)"
+// strings, top frame first. Empty when there's no JS stack (e.g. already
+// terminating) — best-effort, never fatal.
+fn capture_js_backtrace(scope: &mut v8::PinScope<'_, '_>, max_frames: usize) -> Vec<String> {
+    let Some(trace) = v8::StackTrace::current_stack_trace(scope, max_frames) else {
+        return Vec::new();
+    };
+    let count = trace.get_frame_count();
+    let mut out = Vec::with_capacity(count);
+    for i in 0..count {
+        let Some(frame) = trace.get_frame(scope, i) else {
+            continue;
+        };
+        let func = clamp_name(
+            frame
+                .get_function_name(scope)
+                .map(|s| s.to_rust_string_lossy(scope))
+                .filter(|s| !s.is_empty())
+                .unwrap_or_else(|| "<anonymous>".to_string()),
+        );
+        let script = clamp_name(
+            frame
+                .get_script_name_or_source_url(scope)
+                .map(|s| s.to_rust_string_lossy(scope))
+                .filter(|s| !s.is_empty())
+                .unwrap_or_else(|| "<unknown>".to_string()),
+        );
+        out.push(format!(
+            "{func} ({script}:{}:{})",
+            frame.get_line_number(),
+            frame.get_column()
+        ));
+    }
+    out
+}
+
+// Cap a frame name/script string at MAX_FRAME_NAME chars (on a char boundary),
+// appending an ellipsis when truncated, so an attacker-controlled long name can't
+// bloat the error.
+fn clamp_name(mut s: String) -> String {
+    if s.len() > MAX_FRAME_NAME {
+        let end = (0..=MAX_FRAME_NAME).rev().find(|&i| s.is_char_boundary(i)).unwrap_or(0);
+        s.truncate(end);
+        s.push('…');
+    }
+    s
+}
+
 // Arm the watchdog for this request: push a frame with its own deadline and
 // wake the loop. Returns the generation token to hand to `disarm_watchdog`
 // (None when timeout_ms is 0 — no watchdog for this request).

data/lib/rusty_racer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RustyRacer
-  VERSION = "0.1.9"
+  VERSION = "0.1.10"
 end

data/lib/rusty_racer.rb

@@ -26,7 +26,14 @@ module RustyRacer
   class EvalError < Error; end
   class ParseError < EvalError; end
   class RuntimeError < EvalError; end
-  class ScriptTerminatedError < EvalError; end
+  class ScriptTerminatedError < EvalError
+    # The JS stack at the moment the call timed out (watchdog), as
+    # ["func (script:line:col)", ...], top frame first — captured on the isolate
+    # thread just before TerminateExecution. [] when no stack was captured (e.g. a
+    # bare Isolate#terminate rather than a timeout). The same frames are also set
+    # as the exception's #backtrace when present.
+    def js_backtrace = @js_backtrace || []
+  end
   # Raised when JS allocation exceeds the isolate's heap ceiling (the configured
   # memory_limit, or V8's default ceiling when none was set). Catchable like any
   # eval error — a runaway script fails its own eval instead of aborting the

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rusty_racer
 version: !ruby/object:Gem::Version
-  version: 0.1.9
+  version: 0.1.10
 platform: ruby
 authors:
 - Keita Urashima
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-06-18 00:00:00.000000000 Z
+date: 2026-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rb_sys