nested array sort() loop Stack overflow exception [@ js_Mark]

VERIFIED DUPLICATE of bug 203278

Status

()

Core
JavaScript Engine
--
critical
VERIFIED DUPLICATE of bug 203278
14 years ago
14 years ago

People

(Reporter: Johannes Walther, Unassigned)

Tracking

({crash})

Trunk
x86
Windows 98
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.5) Gecko/20041108 Firefox/1.0

Berend-Jan Wever writes on his homepage (see above) that the following small
code snipet crashes most browsers.

<HTML>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
  <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
</HTML>

Among others Firefox and Suite are affected. I've tested it on Win98 with
Firefox 1.0 and Suite 1.8a5. 

Reproducible: Always
Steps to Reproduce:
1. Open testcase


Actual Results:  
Crash

Expected Results:  
No Crash, no overwriting of foreign memory. Browser should ask to terminated the
script.
(Reporter)

Comment 1

14 years ago
Created attachment 167031 [details]
testcase from his homepage
(Reporter)

Comment 2

14 years ago
Ok, crash also reproduced on Win2K with Firefox 1.0 (TB2174018Y) and Seamonkey
1.8a5 on Linux.
OS: Windows 98 → All

Comment 3

14 years ago
The crash with the same testcase is also addressed in bug 271716, bug 271718,
and bug 271739.

Comment 4

14 years ago
I also saw the stacktrace from this bug once in a crash, but i could only
reproduce the bug with _that_ stacktrace once (from that point on i only got
different stacktraces).

Comment 5

14 years ago
With the testcase I crash immediately with FF 1.0 on WinNT4.

TB2171746X [@ js_Mark]

js_Mark 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
3859]
js_MarkGCThing 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 865]
js_MarkGCThing 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 919]
... 
Keywords: crash
OS: All → Windows 98
Summary: nested array sort() loop Stack overflow exception → nested array sort() loop Stack overflow exception [@ js_Mark]
There are many ways to overflow the GC's mark phase stack right now.  Igor's
patch implementing Deutsch-Schorr-Waite, in bug 203278, fixes the "singly linked
list" cases.  Others remain, but this bug report is a straight dup.

/be

*** This bug has been marked as a duplicate of 203278 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
> No Crash, no overwriting of foreign memory.

There is no overwriting of foreign memory -- the stack overflows and the OS
kills the process.

> Browser should ask to terminated the script.

That will happen eventually; sooner with the impending fix for bug 237977.

/be
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_Mark]
You need to log in before you can comment on or make changes to this bug.