Too-much-recursion through array_sort

VERIFIED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
VERIFIED FIXED
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {crash, testcase})

Version:
Trunk
Keywords:
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

stack trace (repeating portion only)
1.55 KB, text/plain
Details
(Reporter)

Description

6 years ago 
Created attachment 558046 [details]
stack trace (repeating portion only)

var a = [];
  var sort = a.sort.bind(a);
  a.push(sort);
  a.push(sort);
  sort(sort);

Crashes with too-much-recursion through array_sort.

Similar to bug 671797, which involves array extras such as array_forEach.

This bug goes all the way back to the introduction of Function.prototype.bind in bug 429507.
Whiteboard: js-triage-needed
 (Reporter)

Comment 1

6 years ago 
Bug 715387 is another too-much-recursion crash involving array_sort. It's different in that it involves recursion through toString rather than through sort_compare.

Comment 2

5 years ago 
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: js-triage-needed
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.