648739 - Crash [@ JSID_TO_STRING] or [@ fun_bind] with testcase involving toString, Function.prototype.bind

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function () {
    [] = x = /x/;
    x.toString = Function.prototype.bind;
    print(x)
})()

crashes js debug and opt shell on TM changeset 6c8becdd1574 without -m nor -j.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   64672:0906d9490eaf
user:        Jeff Walden
date:        Mon Mar 28 20:01:53 2011 -0700
summary:     Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited.  r=luke

Bug 635389 may be related, I'm filing separate because they have different regression windows.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #0)
> Bug 635389 may be related, I'm filing separate because they have different
> regression windows.

The more I look at the stacks, the more I suspect this is another manifestation of bug 635389, even though that bug doesn't have .bind and this one does.

I'll leave it to others more knowledgeable to confirm this dupe.

Comment 3

[Jeff Walden [:Waldo]]

toString would call bind, that would throw because |this| wasn't callable, then it'd try to be helpful and stringify |this| for the error message, lather, rinse, repeat.

Fixed by bug 601709, which removed this errant stringification that's not at all part of the spec, and which also removes the possibility of recurring solely via built-in methods.

Comment 4

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929