| Summary: | Stack overflow when converting an Error object to string | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> | ||||||||
| Component: | JavaScriptCore | Assignee: | Darin Adler <darin> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | darin, eric, ggaren, oliver | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Bug Depends on: | |||||||||||
| Bug Blocks: | 42959 | ||||||||||
| Attachments: |
|
||||||||||
It seems like this may be a generic problem with native methods, particularly any toString implementation which displays contents. For example: do we handle the case where an Array has itself as a member? Or do we check for array cycles during insertion? > For example: do we handle the case where an Array has itself as a member? Yes. > Or do we check for array cycles during insertion? No. I should also note: I do not believe that this stack overflow need be marked as a security bug. But it's possible I don't understand the full consequences of a stack overflow bug. Yes, this bug is not marked as a security one. My mistake. Created attachment 78305 [details]
Patch
Created attachment 79377 [details]
Patch
Comment on attachment 79377 [details]
Patch
Probably even better to deploy StackBounds::recursionCheck instead of continuing to use our legacy system of fixed recursion constants. But I will not make the perfect the enemy of the good!
r=me
Committed r76185: <http://trac.webkit.org/changeset/76185> |
Created attachment 68598 [details] test case (will crash) If an Error object has itself as one of its properties, we crash in toString.