Bug 15618

Summary: REGRESSION: Stack overflow/crash in KJS::equal
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal Keywords: HasReduction, InRadar, Regression
Priority: P1    
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://a88.narod.ru/ars0003.htm
Attachments:
Description Flags
test case (will crash)
none
patch ggaren: review+

Alexey Proskuryakov
Reported 2007-10-22 07:41:57 PDT
r26843 crashes when opening this page. 0 com.apple.JavaScriptCore 0x004923f4 KJS::Collector::allocate(unsigned long) + 20 1 com.apple.JavaScriptCore 0x00493578 KJS::jsString(KJS::UString const&) + 216 2 com.apple.JavaScriptCore 0x00494058 KJS::NativeErrorImp::construct(KJS::ExecState*, KJS::List const&) + 168 3 com.apple.JavaScriptCore 0x004958d8 KJS::Error::create(KJS::ExecState*, KJS::ErrorType, KJS::UString const&, int, int, KJS::UString const&) + 968 4 com.apple.JavaScriptCore 0x00495c80 KJS::throwError(KJS::ExecState*, KJS::ErrorType, char const*) + 80 5 com.apple.JavaScriptCore 0x004aca28 KJS::JSObject::defaultValue(KJS::ExecState*, KJS::JSType) const + 1160 6 com.apple.JavaScriptCore 0x004a5ec4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 532 7 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 8 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 9 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548 10 com.apple.JavaScriptCore 0x004a5ed4 KJS::equal(KJS::ExecState*, KJS::JSValue*, KJS::JSValue*) + 548
Attachments
test case (will crash) (175 bytes, text/html)
2007-10-22 08:31 PDT, Alexey Proskuryakov 		no flags
Details
patch (5.07 KB, patch)
2007-12-02 22:09 PST, Darin Adler 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2007-10-22 08:31:59 PDT
Created attachment 16800 [details] test case (will crash) Looks like the new limit for JS stack set in <http://trac.webkit.org/projects/webkit/changeset/25161> is too large indeed. The problem in the original page is caused by a script that accurately preserves window.onload while setting it to its own function. This script is included twice, which causes infinite recursion - must be a pretty common situation. function onLoad() { ... if (savedOnload) savedOnload(); } savedOnload = window.onload; window.onload = onLoad;
Alexey Proskuryakov
Comment 2 2007-10-22 08:48:37 PDT
Hmm, changing KJS_MAX_STACK back to 100 doesn't fix the problem for me.
Alexey Proskuryakov
Comment 3 2007-10-22 09:04:45 PDT
This doesn't have anything to do with JS stack - the infinite recursion is in native code.
David Kilzer (:ddkilzer)
Comment 4 2007-11-28 22:53:08 PST
Crashes on the earliest known WebKit nightly (r11976) with Safari 2.0.4 (419.3) on Mac OS X 10.4.11 (8S165). Does NOT crash with Safari 2.0.4 (419.3) with original WebKit on 10.4.11.
David Kilzer (:ddkilzer)
Comment 5 2007-11-28 22:53:27 PST
<rdar://problem/5619353>
Darin Adler
Comment 6 2007-12-02 21:45:50 PST
Got a fix.
Darin Adler
Comment 7 2007-12-02 22:09:40 PST
Created attachment 17664 [details] patch
Geoffrey Garen
Comment 8 2007-12-03 11:57:48 PST
Comment on attachment 17664 [details] patch r=me
Darin Adler
Comment 9 2007-12-03 14:58:39 PST
Committed revision 28370.
Note You need to log in before you can comment on or make changes to this bug.