Closed
Bug 624426
Opened 14 years ago
Closed 13 years ago
Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
4.42 KB,
text/plain
|
Details |
__defineSetter__("x",Object.seal); (eval("\ (function(){\ z = arguments;\ x = z;\ z.function::callee = []\ })\ "))() crashes opt js shells at js_LookupProperty on TM changeset de9053031560 without -m nor -j and crashes debug js shells at JSID_IS_STRING or js_CheckForStringIndex Seems to be some form of recursive stack overflow. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 51110:842ca3e81a78 user: Dave Herman date: Tue Jun 15 13:32:32 2010 -0700 summary: bug 533874, r=jimb: expose the parser as a JS API
Comment 1•13 years ago
|
||
That's mysterious. I can't see what that patch could've had to do with this crash. I'll look into it tomorrow. Dave
Reporter | ||
Comment 2•13 years ago
|
||
(In reply to comment #1) > That's mysterious. I can't see what that patch could've had to do with this > crash. I'll look into it tomorrow. > > Dave I re-ran autoBisect and this seems like a more plausible changeset: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54278:441f83a81fb8 user: Jim Blandy date: Tue Sep 21 11:35:30 2010 -0700 summary: Bug 492845: Implement Object.isSealed, Object.seal. a=jwalden, r=brendan
Updated•13 years ago
|
Group: core-security
blocking2.0: ? → .x
Whiteboard: [ccbr] → [ccbr][sg:dos]
Updated•13 years ago
|
Summary: Crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex] → Too-much-recursion crash [@ js_LookupProperty] or [@ JSID_IS_STRING] or [@ js_CheckForStringIndex]
Reporter | ||
Comment 3•13 years ago
|
||
Fixed by bug 631219. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 61783:13ddee17c691 user: David Mandelin date: Thu Feb 03 15:11:21 2011 -0800 summary: Bug 631219: define property instead of setting it in ArgSetter, r=brendan
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos][fixed-in-tracemonkey]
Updated•13 years ago
|
blocking2.0: .x+ → ---
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Depends on: 631219
Updated•13 years ago
|
Crash Signature: [@ js_LookupProperty]
[@ JSID_IS_STRING]
[@ js_CheckForStringIndex]
Comment 4•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•