|Summary:||Stack overflow when converting an Error object to string|
|Product:||WebKit||Reporter:||Alexey Proskuryakov <ap>|
|Severity:||Normal||CC:||darin, eric, ggaren, oliver|
|Version:||528+ (Nightly build)|
|Bug Depends on:|
Description Alexey Proskuryakov 2010-09-23 14:58:34 PDT
Created attachment 68598 [details] test case (will crash) If an Error object has itself as one of its properties, we crash in toString.
Comment 2 Eric Seidel (no email) 2010-09-29 13:56:45 PDT
It seems like this may be a generic problem with native methods, particularly any toString implementation which displays contents. For example: do we handle the case where an Array has itself as a member? Or do we check for array cycles during insertion?
Comment 3 Geoffrey Garen 2010-09-29 14:28:45 PDT
> For example: do we handle the case where an Array has itself as a member? Yes. > Or do we check for array cycles during insertion? No.
Comment 4 Eric Seidel (no email) 2010-09-29 14:36:53 PDT
I should also note: I do not believe that this stack overflow need be marked as a security bug. But it's possible I don't understand the full consequences of a stack overflow bug.
Comment 5 Alexey Proskuryakov 2010-09-29 16:07:46 PDT
Yes, this bug is not marked as a security one.
Comment 6 Eric Seidel (no email) 2010-09-29 16:43:05 PDT
Comment 9 Geoffrey Garen 2011-01-18 18:37:58 PST
Comment on attachment 79377 [details] Patch Probably even better to deploy StackBounds::recursionCheck instead of continuing to use our legacy system of fixed recursion constants. But I will not make the perfect the enemy of the good! r=me