Closed Bug 271734 Opened 20 years ago Closed 20 years ago

nested array sort() loop Stack overflow exception [@ js_Mark]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 203278

People

(Reporter: joh_walt, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

testcase from his homepage
176 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0

Berend-Jan Wever writes on his homepage (see above) that the following small
code snipet crashes most browsers.

<HTML>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>

Among others Firefox and Suite are affected. I've tested it on Win98 with
Firefox 1.0 and Suite 1.8a5. 

Reproducible: Always
Steps to Reproduce:
1. Open testcase


Actual Results:  
Crash

Expected Results:  
No Crash, no overwriting of foreign memory. Browser should ask to terminated the
script.

    
    

    
  
Ok, crash also reproduced on Win2K with Firefox 1.0 (TB2174018Y) and Seamonkey
1.8a5 on Linux.
OS: Windows 98 → All

    
    

    
  
The crash with the same testcase is also addressed in bug 271716, bug 271718,
and bug 271739.

    
    

    
  
I also saw the stacktrace from this bug once in a crash, but i could only
reproduce the bug with _that_ stacktrace once (from that point on i only got
different stacktraces).

    
    

    
  
With the testcase I crash immediately with FF 1.0 on WinNT4.

TB2171746X [@ js_Mark]

js_Mark 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
3859]
js_MarkGCThing 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 865]
js_MarkGCThing 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 919]
... 
Keywords: crash
OS: All → Windows 98
Summary: nested array sort() loop Stack overflow exception → nested array sort() loop Stack overflow exception [@ js_Mark]

    
    

    
  
There are many ways to overflow the GC's mark phase stack right now.  Igor's
patch implementing Deutsch-Schorr-Waite, in bug 203278, fixes the "singly linked
list" cases.  Others remain, but this bug report is a straight dup.

/be

*** This bug has been marked as a duplicate of 203278 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE

    
    

    
  
> No Crash, no overwriting of foreign memory.

There is no overwriting of foreign memory -- the stack overflows and the OS
kills the process.

> Browser should ask to terminated the script.

That will happen eventually; sooner with the impending fix for bug 237977.

/be
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_Mark]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: