Bug 46410

Summary: Stack overflow when converting an Error object to string
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, eric, ggaren, oliver
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
test case (will crash)
none
Patch
none
Patch ggaren: review+

Alexey Proskuryakov
Reported 2010-09-23 14:58:34 PDT
Created attachment 68598 [details] test case (will crash) If an Error object has itself as one of its properties, we crash in toString.
Attachments
test case (will crash) (340 bytes, text/html)
2010-09-23 14:58 PDT, Alexey Proskuryakov 		no flags
Details
Patch (21.47 KB, patch)
2011-01-07 23:03 PST, Darin Adler 		no flags
DetailsFormatted DiffDiff
Patch (24.19 KB, patch)
2011-01-18 18:31 PST, Darin Adler 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2010-09-23 15:51:45 PDT
<rdar://problem/8471921>
Eric Seidel (no email)
Comment 2 2010-09-29 13:56:45 PDT
It seems like this may be a generic problem with native methods, particularly any toString implementation which displays contents. For example: do we handle the case where an Array has itself as a member? Or do we check for array cycles during insertion?
Geoffrey Garen
Comment 3 2010-09-29 14:28:45 PDT
> For example: do we handle the case where an Array has itself as a member? Yes. > Or do we check for array cycles during insertion? No.
Eric Seidel (no email)
Comment 4 2010-09-29 14:36:53 PDT
I should also note: I do not believe that this stack overflow need be marked as a security bug. But it's possible I don't understand the full consequences of a stack overflow bug.
Alexey Proskuryakov
Comment 5 2010-09-29 16:07:46 PDT
Yes, this bug is not marked as a security one.
Eric Seidel (no email)
Comment 6 2010-09-29 16:43:05 PDT
My mistake.
Darin Adler
Comment 7 2011-01-07 23:03:19 PST
Created attachment 78305 [details] Patch
Darin Adler
Comment 8 2011-01-18 18:31:29 PST
Created attachment 79377 [details] Patch
Geoffrey Garen
Comment 9 2011-01-18 18:37:58 PST
Comment on attachment 79377 [details] Patch Probably even better to deploy StackBounds::recursionCheck instead of continuing to use our legacy system of fixed recursion constants. But I will not make the perfect the enemy of the good! r=me
Darin Adler
Comment 10 2011-01-19 17:54:11 PST
Committed r76185: <http://trac.webkit.org/changeset/76185>
Note You need to log in before you can comment on or make changes to this bug.