Closed
Bug 271734
Opened 20 years ago
Closed 20 years ago
nested array sort() loop Stack overflow exception [@ js_Mark]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 203278
People
(Reporter: joh_walt, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
176 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0 Berend-Jan Wever writes on his homepage (see above) that the following small code snipet crashes most browsers. <HTML> <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> </HTML> Among others Firefox and Suite are affected. I've tested it on Win98 with Firefox 1.0 and Suite 1.8a5. Reproducible: Always Steps to Reproduce: 1. Open testcase Actual Results: Crash Expected Results: No Crash, no overwriting of foreign memory. Browser should ask to terminated the script.
Reporter | ||
Comment 1•20 years ago
|
||
Reporter | ||
Comment 2•20 years ago
|
||
Ok, crash also reproduced on Win2K with Firefox 1.0 (TB2174018Y) and Seamonkey 1.8a5 on Linux.
OS: Windows 98 → All
Comment 3•20 years ago
|
||
The crash with the same testcase is also addressed in bug 271716, bug 271718, and bug 271739.
Comment 4•20 years ago
|
||
I also saw the stacktrace from this bug once in a crash, but i could only reproduce the bug with _that_ stacktrace once (from that point on i only got different stacktraces).
With the testcase I crash immediately with FF 1.0 on WinNT4. TB2171746X [@ js_Mark] js_Mark [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 3859] js_MarkGCThing [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 865] js_MarkGCThing [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 919] ...
Keywords: crash
OS: All → Windows 98
Summary: nested array sort() loop Stack overflow exception → nested array sort() loop Stack overflow exception [@ js_Mark]
Comment 6•20 years ago
|
||
There are many ways to overflow the GC's mark phase stack right now. Igor's patch implementing Deutsch-Schorr-Waite, in bug 203278, fixes the "singly linked list" cases. Others remain, but this bug report is a straight dup. /be *** This bug has been marked as a duplicate of 203278 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Comment 7•20 years ago
|
||
> No Crash, no overwriting of foreign memory. There is no overwriting of foreign memory -- the stack overflows and the OS kills the process. > Browser should ask to terminated the script. That will happen eventually; sooner with the impending fix for bug 237977. /be
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ js_Mark]
You need to log in
before you can comment on or make changes to this bug.
Description
•