Closed Bug 295666 Opened 20 years ago Closed 19 years ago

throw {toString: window.alert.call} causes crash [@ js_GetProperty]

Categories

(Core :: JavaScript Engine, defect, P3)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla1.8beta3

People

(Reporter: guninski, Assigned: brendan)

Details

(Keywords: crash, js1.5, testcase, Whiteboard: [cb] no progress for 1.8b3? (defer?))

Crash Data

Attachments

(2 files)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 throw {toString: window.alert.call} causes crash. testcase to follow. Reproducible: Always Steps to Reproduce: testcases to follow. Actual Results: crash Expected Results: no crash
TB6164870Q ->Core: JS Engine
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Summary: throw {toString: window.alert.call} causes crash → throw {toString: window.alert.call} causes crash [@ js_GetProperty]
Version: unspecified → Trunk
Reproduced in: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050525 Firefox/1.0+
Keywords: crash, testcase
Incident ID: 6164870 Stack Signature js_GetProperty 721110f1 Product ID FirefoxTrunk Build ID 2005051906 Trigger Time 2005-05-27 00:42:40.0 Platform Win32 Operating System Windows 98 4.10 build 67766446 Module JS3250.DLL + (0002ccb5) URL visited User Comments Since Last Crash 126586 sec Total Uptime 126586 sec Trigger Reason Stack overflow Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734 Stack Trace js_GetProperty [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3220] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175] fun_call [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c, line 1450] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218] js_InternalGetOrSet [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318] js_XDRObject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802] js_DefaultValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
according to dveditz: On the branch the above crashes in nsScriptSecurityManager::GetScriptPrincipal (http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=6 +157147) On the trunk javascript appears to get stuck in infinite recursion, blows the stack: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=61 +56893 That testcase ought to be spun into its own bug.
This recurses completely inside the JS engine.... should we be doing some stack-limit checks here?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Yes, of course we should be checking -- d'oh. Taking. /be
Assignee: general → brendan
Flags: blocking1.8b3?
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P3
Target Milestone: --- → mozilla1.8beta3
Whiteboard: [cb] no progress for 1.8b3? (defer?)
need a patch in the next day if it's going to make 1.8b3
Attached patch fixSplinter Review
I'd like to check this in today, get on with other bugs. /be
Attachment #188348 - Flags: review?(shaver)
Attachment #188348 - Flags: approval1.8b3+
Comment on attachment 188348 [details] [diff] [review] fix r=shaver.
Attachment #188348 - Flags: review?(shaver) → review+
Fixed. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase?
Checking in regress-295666.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-295666.js,v <-- regress-295666.js initial revision: 1.1
Flags: testcase? → testcase+
verified fixed 1.9 20060818
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_GetProperty]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: