Closed Bug 116228 Opened 23 years ago Closed 23 years ago

Problems with toString function performed on Function objects

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: chris, Assigned: brendan)

Details

(Keywords: crash, js1.5)

Attachments

(4 files)

Reduced HTML testcase; crashes Mozilla
214 bytes, text/html
Details
WinNT stack trace
4.87 KB, text/plain
Details
proposed fix, one-liner
451 bytes, patch
timeless
: review+
shaver
: superreview+
Details | Diff | Splinter Review
Reporter's original HTML testcase
311 bytes, text/html
Details 
try the following:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
	<title>Untitled</title>
</head>
<body>
<script>
var x = {}
x.fun = function () {return 'hello'}
x.fun.toString = function () {
return this();
}
onload = function () {
  alert(x.fun)
}


</script>
</body>
</html>

this should work (and does in NS4 and all IE browsers) but results in crashing 
mozilla
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
cc'ing Brendan on this. We can reduce the browser crash to this:

obj = {};
obj.toString = function() {return this();}
obj;


If we change |this()| to |this|, we do not crash and there are no
errors in the JavaScript Console.


VARIATIONS

If you change the property name from |toString| to |prop|, no crash
and no error. If you change the final line from |obj;| to |obj.toString();|
as in

obj = {};
obj.toString = function() {return this();}
obj.toString();


then no crash, but we get an error:

Error: object is not a function
Line: 2



NONE of the testcases above crash for me in the standalone JS shell
on WinNT (optimized or debug).
Assignee: rogerl → khanson
Attached file WinNT stack trace 

    
    

    
  
Crashes Mozilla 20011219xx on Linux as well as WinNT.
OS : Win ---> All
OS: Windows 2000 → All

    
    

    
  
D'oh -- old bug (I think) -- JSOP_THIS does not null the obj register.

/be
Assignee: khanson → brendan
Keywords: js1.5, 
          
            mozilla0.9.8
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla0.9.8

    
    

    
  


  

    
    

    
  
Comment on attachment 62495 [details] [diff] [review]
proposed fix, one-liner

sr=shaver.

        Attachment #62495 -
        Flags: superreview+

    
    

    
  
Comment on attachment 62495 [details] [diff] [review]
proposed fix, one-liner

r=timeless (see also bug 53614)

        Attachment #62495 -
        Flags: review+

    
    

    
  
Fixed, thanks.

/be
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Verified Fixed using Mozilla trunk binaries 20011227xx on WinNT, Linux, Mac9.1.
Both the reduced HTML testcase and the reporter's original testcase load without 
crashing. I also checked in the latest JS shell built today, and did not crash. 
On the other hand, I was never able to provoke the crash there anyway -
Status: RESOLVED → VERIFIED
Flags: testcase?

    
    

    
  
Checking in regress-116228.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-116228.js,v  <--  regress-116228.js
initial revision: 1.1

Flags: testcase? → testcase+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: