Closed Bug 708819 Opened 13 years ago Closed 13 years ago

Crash [@ JSObject::defaultValue] due to recursion

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: evilpie)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

Check for recursion in Error functions
1.59 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following test crashes on mozilla-central revision 6785d3003414 (options -m -n -a):


var myErr = new Error( "Error Text" );
myErr.name = myErr;
test(( 'Did not generate ANY error!!!' & this ? this : this) ());
function test(length)
function f() {}


The crash seems to be a too much recursion crash, and the repeating cycle is:

#12 0x00000000004430e8 in JSObject::defaultValue (this=0x7ffff60042e0, cx=0xb2d930, hint=JSTYPE_STRING, vp=0x7fffff7ff470) at ../jsobjinlines.h:129
#13 0x0000000000589ca5 in js::ToPrimitive (cx=0xb2d930, preferredType=JSTYPE_STRING, vp=0x7fffff7ff470) at ../jsobjinlines.h:1519
#14 0x00000000005918a1 in js::ToStringSlow (cx=0xb2d930, arg=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3237
#15 0x0000000000493017 in js::ToString (cx=0xb2d930, v=...) at /srv/repos/mozilla-central/js/src/jsstr.h:161
#16 0x000000000049536f in exn_toString (cx=0xb2d930, argc=0, vp=0x7ffff6415f30) at /srv/repos/mozilla-central/js/src/jsexn.cpp:804
#17 0x0000000000503205 in js::CallJSNative (cx=0xb2d930, native=0x495227 <exn_toString(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:321
#18 0x00000000004e54c2 in js::InvokeKernel (cx=0xb2d930, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:626
#19 0x0000000000458b47 in js::Invoke (cx=0xb2d930, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.h:165
#20 0x00000000004e579c in js::Invoke (cx=0xb2d930, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:676
#21 0x000000000052a3cb in js::MaybeCallMethod (cx=0xb2d930, obj=0x7ffff60042e0, id=..., vp=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsobj.cpp:6538
#22 0x000000000052a4fe in js::DefaultValue (cx=0xb2d930, obj=0x7ffff60042e0, hint=JSTYPE_STRING, vp=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsobj.cpp:6559
#23 0x00000000004430e8 in JSObject::defaultValue (this=0x7ffff60042e0, cx=0xb2d930, hint=JSTYPE_STRING, vp=0x7fffff7ff930) at ../jsobjinlines.h:129
Also put the recursion check into toSource, for good measure. This could fail since bug 700169, because we now stringify objects.
Assignee: general → evilpies
Status: NEW → ASSIGNED
Attachment #581695 - Flags: review?(luke)
Attachment #581695 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/2172873119db
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708819.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: