Closed Bug 295666 Opened 19 years ago Closed 19 years ago

throw {toString: window.alert.call} causes crash [@ js_GetProperty]

Categories

(Core :: JavaScript Engine, defect, P3)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla1.8beta3

People

(Reporter: guninski, Assigned: brendan)

Details

(Keywords: crash, js1.5, testcase, Whiteboard: [cb] no progress for 1.8b3? (defer?))

Crash Data

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

throw {toString: window.alert.call} causes crash.

testcase to follow.

Reproducible: Always

Steps to Reproduce:
testcases to follow.
Actual Results:  
crash

Expected Results:  
no crash
TB6164870Q

->Core: JS Engine
Assignee: nobody → general
Severity: normal → critical
Component: General → JavaScript Engine
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Summary: throw {toString: window.alert.call} causes crash → throw {toString: window.alert.call} causes crash [@ js_GetProperty]
Version: unspecified → Trunk
Reproduced in:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050525 Firefox/1.0+
Keywords: crash, testcase
Incident ID: 6164870
Stack Signature	js_GetProperty 721110f1
Product ID	FirefoxTrunk
Build ID	2005051906
Trigger Time	2005-05-27 00:42:40.0
Platform	Win32
Operating System	Windows 98 4.10 build 67766446
Module	JS3250.DLL + (0002ccb5)
URL visited	
User Comments	
Since Last Crash	126586 sec
Total Uptime	126586 sec
Trigger Reason	Stack overflow
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734
Stack Trace 	
js_GetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 2734]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3797]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3220]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
fun_call  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsfun.c,
line 1450]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1218]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_XDRObject 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3802]
js_DefaultValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsobj.c, line 3175]
according to dveditz:

On the branch the above crashes in nsScriptSecurityManager::GetScriptPrincipal
(http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=6
+157147)

On the trunk javascript appears to get stuck in infinite recursion, blows the
stack:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=61
+56893

That testcase ought to be spun into its own bug.
This recurses completely inside the JS engine.... should we be doing some
stack-limit checks here?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3?
Yes, of course we should be checking -- d'oh.  Taking.

/be
Assignee: general → brendan
Flags: blocking1.8b3?
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P3
Target Milestone: --- → mozilla1.8beta3
Whiteboard: [cb] no progress for 1.8b3? (defer?)
need a patch in the next day if it's going to make 1.8b3
Attached patch fixSplinter Review
I'd like to check this in today, get on with other bugs.

/be
Attachment #188348 - Flags: review?(shaver)
Attachment #188348 - Flags: approval1.8b3+
Comment on attachment 188348 [details] [diff] [review]
fix

r=shaver.
Attachment #188348 - Flags: review?(shaver) → review+
Fixed.

/be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase?
Checking in regress-295666.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-295666.js,v  <--  regress-295666.js
initial revision: 1.1
Flags: testcase? → testcase+
verified fixed 1.9 20060818
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_GetProperty]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: