Last Comment Bug 708819 - Crash [@ JSObject::defaultValue] due to recursion
: Crash [@ JSObject::defaultValue] due to recursion
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla11
Assigned To: Tom Schuster [:evilpie]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-08 13:24 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:13 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Check for recursion in Error functions (1.59 KB, patch)
2011-12-14 10:00 PST, Tom Schuster [:evilpie]
luke: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-12-08 13:24:51 PST
The following test crashes on mozilla-central revision 6785d3003414 (options -m -n -a):

var myErr = new Error( "Error Text" ); = myErr;
test(( 'Did not generate ANY error!!!' & this ? this : this) ());
function test(length)
function f() {}

The crash seems to be a too much recursion crash, and the repeating cycle is:

#12 0x00000000004430e8 in JSObject::defaultValue (this=0x7ffff60042e0, cx=0xb2d930, hint=JSTYPE_STRING, vp=0x7fffff7ff470) at ../jsobjinlines.h:129
#13 0x0000000000589ca5 in js::ToPrimitive (cx=0xb2d930, preferredType=JSTYPE_STRING, vp=0x7fffff7ff470) at ../jsobjinlines.h:1519
#14 0x00000000005918a1 in js::ToStringSlow (cx=0xb2d930, arg=...) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3237
#15 0x0000000000493017 in js::ToString (cx=0xb2d930, v=...) at /srv/repos/mozilla-central/js/src/jsstr.h:161
#16 0x000000000049536f in exn_toString (cx=0xb2d930, argc=0, vp=0x7ffff6415f30) at /srv/repos/mozilla-central/js/src/jsexn.cpp:804
#17 0x0000000000503205 in js::CallJSNative (cx=0xb2d930, native=0x495227 <exn_toString(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:321
#18 0x00000000004e54c2 in js::InvokeKernel (cx=0xb2d930, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:626
#19 0x0000000000458b47 in js::Invoke (cx=0xb2d930, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.h:165
#20 0x00000000004e579c in js::Invoke (cx=0xb2d930, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:676
#21 0x000000000052a3cb in js::MaybeCallMethod (cx=0xb2d930, obj=0x7ffff60042e0, id=..., vp=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsobj.cpp:6538
#22 0x000000000052a4fe in js::DefaultValue (cx=0xb2d930, obj=0x7ffff60042e0, hint=JSTYPE_STRING, vp=0x7fffff7ff930) at /srv/repos/mozilla-central/js/src/jsobj.cpp:6559
#23 0x00000000004430e8 in JSObject::defaultValue (this=0x7ffff60042e0, cx=0xb2d930, hint=JSTYPE_STRING, vp=0x7fffff7ff930) at ../jsobjinlines.h:129
Comment 1 User image Tom Schuster [:evilpie] 2011-12-14 10:00:48 PST
Created attachment 581695 [details] [diff] [review]
Check for recursion in Error functions

Also put the recursion check into toSource, for good measure. This could fail since bug 700169, because we now stringify objects.
Comment 3 User image Matt Brubeck (:mbrubeck) 2011-12-19 11:14:59 PST
Comment 4 User image Christian Holler (:decoder) 2013-01-14 08:13:24 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708819.js.

Note You need to log in before you can comment on or make changes to this bug.