Closed Bug 260541 Opened 20 years ago Closed 20 years ago

Referencing an Error object on its .name attribute causes a crash

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8alpha4

People

(Reporter: troy, Assigned: brendan)

References

(
URL
)

Details

(4 keywords)

Attachments

(2 files)

proposed fix
2.75 KB, patch
shaver
: review+
brendan
: approval-aviary+
brendan
: approval1.7.5+
Details | Diff | Splinter Review
js1_5/Regress/regress-260541.js
2.24 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10

Browser go boom due to poor coding ( self-referencing objects when the JS engine
probably expected a string...)

Reproducible: Always
Steps to Reproduce:
1. Enable Javascript

2. Load a page with code such as
var myErr = new Error( "Error Text" );
myErr.name = myErr;

3. Watch the Mozilla Talkback client do it's thing.
Actual Results:  
The browser crashed.

Expected Results:  
The browser should have laughed at my poor coding ability and moved along.

TB896851K is the most specific.
TB895978Q and TB895966E were sent before I tracked down the problem.
Must-fix, thanks for reporting this.

/be
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.7.x+
Flags: blocking-aviary1.0+
Keywords: crash, js1.5
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha4
Attached patch proposed fixSplinter Review 
Old jsexn.c code (not mine) was too trusting about the values of read/write
Error properties such as name and message, leading to stack overflow.

Alas, ECMA-262 Edition 3 leaves Error.prototype.toString completely up to the
implementation to define.  This patch avoids recursive divergence and useless
results, but may result in an exception object converting to the empty string,
if you set both name and message to non-string or empty-string values.	If
anyone has a better idea for how Error.prototype.toString should work, feel
free to file an RFE.

/be
Attachment #159485 - Flags: review?(shaver)
Comment on attachment 159485 [details] [diff] [review]
proposed fix

Cool, but you gotta add a test!
Attachment #159485 - Flags: review?(shaver) → review+
Comment on attachment 159485 [details] [diff] [review]
proposed fix

Fixed on trunk; self-approving for branches.

/be
Attachment #159485 - Flags: approval1.7.x+
Attachment #159485 - Flags: approval-aviary+
Fixed all over the place.

/be
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
Severity: minor → critical
Troy, with your permission this will be included in the javascript test
library.
Heh.  It's funny to hear you ask for permission for two lines of code.  Need a 
license?  Do whate'er you want with the code, just don't sue me ;-)  I guess 
that would make it an MIT license.

BTW, who is QA?  I guess per the workflow they are supposed to "Mark bug as 
Verified."  I'm new to bugzilla.
js1_5/Regress/regress-260541.js checked in.
Flags: testcase+
verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: