Open Bug 1153867 Opened 9 years ago Updated 2 years ago

Value decompiler iloops on object containing cycle, causing errors involving the object to hang the script

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox40 --- affected

People

(Reporter: till, Unassigned)

References

Details

(Whiteboard: [Shumway])

Attachments

(2 files)

testcase.zip
1.91 MB, application/zip
Details
stack
19.69 KB, text/plain
Details
Attached file testcase.zip 
The attached zip contains a build of Shumway and a SWF. Playing the SWF in Shumway causes an iloop when trying to create an error for an object that can't be converted to a primitive. Yury and I tried reducing the testcase, but failed coming up with anything simpler than what we have here.

STR:
1. Unpack the zip
2. Run the following command in the same directory:
[path to JS shell] build/ts/shell.js -x math-function-7.swf

Expected result:
The script should print some output and then finish.

Actual result:
The script hangs after printing "Testing: abs with (22) [object Object] (object)".

Looking at this in a debugger, I see that there are quite a few nested invocations of js::ValueToSource. The depth doesn't grow infinitely, though, and the cycle detector does detect that there's a cycle, so it seems like there's a bug in how we then handle that cycle.
Attached file stack 
Here's the stack I captured in the debugger. It varies in depth (I think down to 85 frames).
Blocks: shumway-1.0
No longer blocks: shumway-m4
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: