Closed
Bug 295666
Opened 20 years ago
Closed 19 years ago
throw {toString: window.alert.call} causes crash [@ js_GetProperty]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta3
People
(Reporter: guninski, Assigned: brendan)
Details
(Keywords: crash, js1.5, testcase, Whiteboard: [cb] no progress for 1.8b3? (defer?))
Crash Data
Attachments
(2 files)
196 bytes,
text/html
|
Details | |
1.87 KB,
patch
|
shaver
:
review+
brendan
:
approval1.8b3+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
throw {toString: window.alert.call} causes crash.
testcase to follow.
Reproducible: Always
Steps to Reproduce:
testcases to follow.
Actual Results:
crash
Expected Results:
no crash
Reporter | ||
Comment 1•20 years ago
|
||
TB6164870Q
->Core: JS Engine
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Summary: throw {toString: window.alert.call} causes crash → throw {toString: window.alert.call} causes crash [@ js_GetProperty]
Version: unspecified → Trunk
Reproduced in:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050525 Firefox/1.0+
Incident ID: 6164870
Stack Signature js_GetProperty 721110f1
Product ID FirefoxTrunk
Build ID 2005051906
Trigger Time 2005-05-27 00:42:40.0
Platform Win32
Operating System Windows 98 4.10 build 67766446
Module JS3250.DLL + (0002ccb5)
URL visited
User Comments
Since Last Crash 126586 sec
Total Uptime 126586 sec
Trigger Reason Stack overflow
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734
Stack Trace
js_GetProperty
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3220]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
Reporter | ||
Comment 5•20 years ago
|
||
according to dveditz:
On the branch the above crashes in nsScriptSecurityManager::GetScriptPrincipal
(http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=6
+157147)
On the trunk javascript appears to get stuck in infinite recursion, blows the
stack:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=61
+56893
That testcase ought to be spun into its own bug.
Comment 6•20 years ago
|
||
This recurses completely inside the JS engine.... should we be doing some
stack-limit checks here?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Assignee | ||
Comment 7•20 years ago
|
||
Yes, of course we should be checking -- d'oh. Taking.
/be
Assignee: general → brendan
Flags: blocking1.8b3?
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P3
Target Milestone: --- → mozilla1.8beta3
Updated•19 years ago
|
Whiteboard: [cb] no progress for 1.8b3? (defer?)
Comment 8•19 years ago
|
||
need a patch in the next day if it's going to make 1.8b3
Assignee | ||
Comment 9•19 years ago
|
||
I'd like to check this in today, get on with other bugs.
/be
Attachment #188348 -
Flags: review?(shaver)
Attachment #188348 -
Flags: approval1.8b3+
Comment 10•19 years ago
|
||
Comment on attachment 188348 [details] [diff] [review]
fix
r=shaver.
Attachment #188348 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 11•19 years ago
|
||
Fixed.
/be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase?
Comment 12•19 years ago
|
||
Checking in regress-295666.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-295666.js,v <-- regress-295666.js
initial revision: 1.1
Flags: testcase? → testcase+
Updated•13 years ago
|
Crash Signature: [@ js_GetProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•