Closed Bug 1153867 Opened 10 years ago Closed 1 year ago

Value decompiler iloops on object containing cycle, causing errors involving the object to hang the script

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox40 --- affected

People

(Reporter: till, Unassigned)

References

Details

(Whiteboard: [Shumway])

Attachments

(2 files)

testcase.zip
1.91 MB, application/zip
Details
stack
19.69 KB, text/plain
Details
Attached file testcase.zip
The attached zip contains a build of Shumway and a SWF. Playing the SWF in Shumway causes an iloop when trying to create an error for an object that can't be converted to a primitive. Yury and I tried reducing the testcase, but failed coming up with anything simpler than what we have here. STR: 1. Unpack the zip 2. Run the following command in the same directory: [path to JS shell] build/ts/shell.js -x math-function-7.swf Expected result: The script should print some output and then finish. Actual result: The script hangs after printing "Testing: abs with (22) [object Object] (object)". Looking at this in a debugger, I see that there are quite a few nested invocations of js::ValueToSource. The depth doesn't grow infinitely, though, and the cycle detector does detect that there's a cycle, so it seems like there's a bug in how we then handle that cycle.
Attached file stack
Here's the stack I captured in the debugger. It varies in depth (I think down to 85 frames).
Blocks: shumway-1.0
No longer blocks: shumway-m4
Severity: normal → S3

Shumway is not a priority anymore. Closing this.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: