Crash [@ JSID_TO_STRING] or [@ fun_bind] with testcase involving toString, Function.prototype.bind

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
8 years ago
Modified:
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Version:
Trunk
Keywords:
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

stack
6.61 KB, text/plain
Details
(Reporter)

Description

8 years ago 
(function () {
    [] = x = /x/;
    x.toString = Function.prototype.bind;
    print(x)
})()

crashes js debug and opt shell on TM changeset 6c8becdd1574 without -m nor -j.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   64672:0906d9490eaf
user:        Jeff Walden
date:        Mon Mar 28 20:01:53 2011 -0700
summary:     Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited.  r=luke

Bug 635389 may be related, I'm filing separate because they have different regression windows.
 (Reporter)

Updated

8 years ago
Summary: Crash with testcase involving toString, Function.prototype.bind → Crash [@ JSID_TO_STRING] or [@ fun_bind] with testcase involving toString, Function.prototype.bind
 (Reporter)

Comment 1

8 years ago 
Created attachment 524841 [details]
stack
 (Reporter)

Comment 2

8 years ago 
(In reply to comment #0)
> Bug 635389 may be related, I'm filing separate because they have different
> regression windows.

The more I look at the stacks, the more I suspect this is another manifestation of bug 635389, even though that bug doesn't have .bind and this one does.

I'll leave it to others more knowledgeable to confirm this dupe.
 (Reporter)

Updated

8 years ago
OS: Windows 7 → All
Hardware: x86 → All

Comment 3

8 years ago 
toString would call bind, that would throw because |this| wasn't callable, then it'd try to be helpful and stringify |this| for the error message, lather, rinse, repeat.

Fixed by bug 601709, which removed this errant stringification that's not at all part of the spec, and which also removes the possibility of recurring solely via built-in methods.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSID_TO_STRING] [@ fun_bind]

Comment 4

6 years ago 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.