Crash [@ JSID_TO_STRING] or [@ fun_bind] with testcase involving toString, Function.prototype.bind
RESOLVED
FIXED
Status
()
People
(Reporter: gkw, Unassigned)
Tracking
(Blocks: 1 bug, {crash, regression, testcase})
Firefox Tracking Flags
(Not tracked)
Details
(crash signature)
Attachments
(1 attachment)
6.61 KB,
text/plain
|
Details |
(function () { [] = x = /x/; x.toString = Function.prototype.bind; print(x) })() crashes js debug and opt shell on TM changeset 6c8becdd1574 without -m nor -j. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 64672:0906d9490eaf user: Jeff Walden date: Mon Mar 28 20:01:53 2011 -0700 summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke Bug 635389 may be related, I'm filing separate because they have different regression windows.
![]() |
(Reporter) | |
Updated•8 years ago
|
Summary: Crash with testcase involving toString, Function.prototype.bind → Crash [@ JSID_TO_STRING] or [@ fun_bind] with testcase involving toString, Function.prototype.bind
![]() |
(Reporter) | |
Comment 1•8 years ago
|
||
Created attachment 524841 [details]
stack
![]() |
(Reporter) | |
Comment 2•8 years ago
|
||
(In reply to comment #0) > Bug 635389 may be related, I'm filing separate because they have different > regression windows. The more I look at the stacks, the more I suspect this is another manifestation of bug 635389, even though that bug doesn't have .bind and this one does. I'll leave it to others more knowledgeable to confirm this dupe.
![]() |
(Reporter) | |
Updated•8 years ago
|
OS: Windows 7 → All
Hardware: x86 → All
Comment 3•8 years ago
|
||
toString would call bind, that would throw because |this| wasn't callable, then it'd try to be helpful and stringify |this| for the error message, lather, rinse, repeat. Fixed by bug 601709, which removed this errant stringification that's not at all part of the spec, and which also removes the possibility of recurring solely via built-in methods.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Crash Signature: [@ JSID_TO_STRING]
[@ fun_bind]
Comment 4•6 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•