Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:dos][fixed-in-tracemonkey], crash signature)

Attachments

(1 attachment)

Created attachment 502537 [details]
more information

__defineSetter__("x",Object.seal);
(eval("\
  (function(){\
    z = arguments;\
    x = z;\
    z.function::callee = []\
  })\
"))()

crashes opt js shells at js_LookupProperty on TM changeset de9053031560 without -m nor -j and crashes debug js shells at JSID_IS_STRING or js_CheckForStringIndex

Seems to be some form of recursive stack overflow.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   51110:842ca3e81a78
user:        Dave Herman
date:        Tue Jun 15 13:32:32 2010 -0700
summary:     bug 533874, r=jimb: expose the parser as a JS API
Blocks: 533874
blocking2.0: --- → ?
That's mysterious. I can't see what that patch could've had to do with this crash. I'll look into it tomorrow.

Dave
(In reply to comment #1)
> That's mysterious. I can't see what that patch could've had to do with this
> crash. I'll look into it tomorrow.
> 
> Dave

I re-ran autoBisect and this seems like a more plausible changeset:

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   54278:441f83a81fb8
user:        Jim Blandy
date:        Tue Sep 21 11:35:30 2010 -0700
summary:     Bug 492845: Implement Object.isSealed, Object.seal. a=jwalden, r=brendan
Blocks: 492845
No longer blocks: 533874
OS: Mac OS X → All
Hardware: x86 → All
Group: core-security
blocking2.0: ? → .x
Whiteboard: [ccbr] → [ccbr][sg:dos]

Updated

8 years ago
Summary: Crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex] → Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]
Fixed by bug 631219.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   61783:13ddee17c691
user:        David Mandelin
date:        Thu Feb 03 15:11:21 2011 -0800
summary:     Bug 631219: define property instead of setting it in ArgSetter, r=brendan
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos][fixed-in-tracemonkey]
blocking2.0: .x+ → ---
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Depends on: 631219
Crash Signature: [@ js_LookupProperty] [@ JSID_IS_STRING] [@ js_CheckForStringIndex]
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.