Bug 708819 - Avoid recursion through Error.prototype.toString/toSource r=luke
authorTom Schuster <evilpies@gmail.com>
Mon, 19 Dec 2011 14:17:00 +0100
changeset 82964 2172873119db0554d91f757bb0ec6004c435027e
parent 82963 caeef8ca5d94559547ace1dcc5b53f7304bdda7d
child 82965 1c542f9a2e1086c4ce4385d54875cae294141b23
push id21714
push usermbrubeck@mozilla.com
push dateMon, 19 Dec 2011 19:12:48 +0000
treeherdermozilla-central@e6179f497b74 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs708819
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 708819 - Avoid recursion through Error.prototype.toString/toSource r=luke
js/src/jit-test/tests/basic/bug708819.js
js/src/jsexn.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug708819.js
@@ -0,0 +1,12 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+try {
+    var e = new Error();
+    e.name = e;
+    "" + e;
+} catch (e) {
+    assertEq(e.message, 'too much recursion');
+}
--- a/js/src/jsexn.cpp
+++ b/js/src/jsexn.cpp
@@ -798,16 +798,17 @@ Exception(JSContext *cx, uintN argc, Val
     args.rval().setObject(*obj);
     return true;
 }
 
 /* ES5 15.11.4.4 (NB: with subsequent errata). */
 static JSBool
 exn_toString(JSContext *cx, uintN argc, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
 
     /* Step 2. */
     if (!args.thisv().isObject()) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_BAD_PROTOTYPE, "Error");
         return false;
     }
 
@@ -876,16 +877,17 @@ exn_toString(JSContext *cx, uintN argc, 
 
 #if JS_HAS_TOSOURCE
 /*
  * Return a string that may eval to something similar to the original object.
  */
 static JSBool
 exn_toSource(JSContext *cx, uintN argc, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
     CallArgs args = CallArgsFromVp(argc, vp);
 
     JSObject *obj = ToObject(cx, &args.thisv());
     if (!obj)
         return false;
 
     Value nameVal;
     JSString *name;