Bug 117119 - infinite recursion in JSC::Bindings::convertValueToQVariant
Summary: infinite recursion in JSC::Bindings::convertValueToQVariant
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Qt (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-01 23:35 PDT by Dan Callaghan
Modified: 2021-06-29 15:10 PDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Callaghan 2013-06-01 23:35:09 PDT 
Running the following minimal reproducer against QtWebKit 5.0.2 causes infinite recursion in JSC::Bindings::convertValueToQVariant.

int main(int argc, char *argv[]) {
    QApplication app(argc, argv);
    QWebPage page;
    page.mainFrame()->evaluateJavaScript(
        "One = function (other) { this.other = other; };"
        "Two = function () { };"
        "Two.prototype.breakage = function () {"
        "  var one = new One(this);"
        "  this.x = [one];"
        "  return one;"
        "};"
        "new Two().breakage();"
    );
    return 0;
}

The stack trace from gdb looks like this:

#0  JSC::JSObject::getOwnNonIndexPropertyNames (object=0x7fffd018ff40, exec=0x7fffd022f388, propertyNames=..., mode=
    JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1514
#1  0x00007ffff70e63f5 in JSC::JSObject::getOwnPropertyNames (object=0x7fffd018ff40, exec=0x7fffd022f388, propertyNames=
    ..., mode=JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1510
#2  0x00007ffff70dd152 in JSC::JSObject::getPropertyNames (object=<optimized out>, exec=0x7fffd022f388, propertyNames=..., 
    mode=JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1437
#3  0x00007ffff6e72d41 in JSObjectCopyPropertyNames (ctx=0x7fffd022f388, object=0x7fffd018ff40) at API/JSObjectRef.cpp:510
#4  0x00007ffff60137a5 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#5  0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#6  0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#7  0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
#8  0x00007ffff60131d4 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#9  0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#10 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#11 0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#12 0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
[...]
#37962 0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
#37963 0x00007ffff60131d4 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37964 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37965 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37966 0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37967 0x00007ffff5ddbfa0 in QWebFrameAdapter::evaluateJavaScript () from /lib64/libQt5WebKit.so.5
#37968 0x00007ffff7bbbf3d in QWebFrame::evaluateJavaScript () from /lib64/libQt5WebKitWidgets.so.5
#37969 0x0000000000400aa7 in main (argc=1, argv=<optimized out>) at test.cpp:18

The actual code that triggered this was Jasmine used by the PhantomJS test suite. It sets up a cyclic relationship between its Env and Suite objects through an array property, like the minimal reproducer above.

As a wild guess (I don't understand WebKit very well) this seems like it could be related to bug 104135.
Comment 1 Alexey Proskuryakov 2021-06-29 15:10:23 PDT 
Qt support was removed from WebKit.