Closed
Bug 624426
Opened 15 years ago
Closed 15 years ago
Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
|
4.42 KB,
text/plain
|
Details |
__defineSetter__("x",Object.seal);
(eval("\
(function(){\
z = arguments;\
x = z;\
z.function::callee = []\
})\
"))()
crashes opt js shells at js_LookupProperty on TM changeset de9053031560 without -m nor -j and crashes debug js shells at JSID_IS_STRING or js_CheckForStringIndex
Seems to be some form of recursive stack overflow.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 51110:842ca3e81a78
user: Dave Herman
date: Tue Jun 15 13:32:32 2010 -0700
summary: bug 533874, r=jimb: expose the parser as a JS API
|
||
Comment 1•15 years ago
|
||
That's mysterious. I can't see what that patch could've had to do with this crash. I'll look into it tomorrow.
Dave
|
Reporter | |
Comment 2•15 years ago
|
||
(In reply to comment #1)
> That's mysterious. I can't see what that patch could've had to do with this
> crash. I'll look into it tomorrow.
>
> Dave
I re-ran autoBisect and this seems like a more plausible changeset:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 54278:441f83a81fb8
user: Jim Blandy
date: Tue Sep 21 11:35:30 2010 -0700
summary: Bug 492845: Implement Object.isSealed, Object.seal. a=jwalden, r=brendan
|
||
Updated•15 years ago
|
Group: core-security
blocking2.0: ? → .x
Whiteboard: [ccbr] → [ccbr][sg:dos]
|
||
Updated•15 years ago
|
Summary: Crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex] → Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]
|
|
Reporter | |
Comment 3•15 years ago
|
||
Fixed by bug 631219.
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 61783:13ddee17c691
user: David Mandelin
date: Thu Feb 03 15:11:21 2011 -0800
summary: Bug 631219: define property instead of setting it in ArgSetter, r=brendan
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos][fixed-in-tracemonkey]
|
||
Updated•14 years ago
|
blocking2.0: .x+ → ---
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Depends on: 631219
|
||
Updated•14 years ago
|
Crash Signature: [@ js_LookupProperty]
[@ JSID_IS_STRING]
[@ js_CheckForStringIndex]
|
||
Comment 4•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Comment 5•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•