Bug 582649 - "Too-much-recursion crash with setUserData [@ * | XPCConvert::JSArray2Native]" [r=mrbkap a=dveditz]
authorPeter Van der Beken <peterv@propagandism.org>
Fri, 19 Nov 2010 01:11:44 -0800
changeset 27221 7da8e189105d0df75c5c714fdc90032cfb7ff058
parent 27220 38c1615a54805379502d4e536c4e6a91c2a34493
child 27222 fecef32f84b0f7d330dd9663f2fa0860d034b256
push id2578
push userreed@reedloden.com
push dateFri, 19 Nov 2010 09:56:20 +0000
reviewersmrbkap, dveditz
bugs582649
milestone1.9.1.16pre
Bug 582649 - "Too-much-recursion crash with setUserData [@ * | XPCConvert::JSArray2Native]" [r=mrbkap a=dveditz]
js/src/jscntxt.cpp
js/src/jscntxt.h
js/src/xpconnect/crashtests/582649.html
js/src/xpconnect/crashtests/crashtests.list
js/src/xpconnect/src/xpcvariant.cpp
--- a/js/src/jscntxt.cpp
+++ b/js/src/jscntxt.cpp
@@ -1320,17 +1320,17 @@ js_ReportOutOfMemory(JSContext *cx)
 
 void
 js_ReportOutOfScriptQuota(JSContext *cx)
 {
     JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                          JSMSG_SCRIPT_STACK_QUOTA);
 }
 
-void
+JS_FRIEND_API(void)
 js_ReportOverRecursed(JSContext *cx)
 {
     JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_OVER_RECURSED);
 }
 
 void
 js_ReportAllocationOverflow(JSContext *cx)
 {
--- a/js/src/jscntxt.h
+++ b/js/src/jscntxt.h
@@ -1349,17 +1349,17 @@ extern void
 js_ReportOutOfMemory(JSContext *cx);
 
 /*
  * Report that cx->scriptStackQuota is exhausted.
  */
 extern void
 js_ReportOutOfScriptQuota(JSContext *cx);
 
-extern void
+extern JS_FRIEND_API(void)
 js_ReportOverRecursed(JSContext *cx);
 
 extern void
 js_ReportAllocationOverflow(JSContext *cx);
 
 #define JS_CHECK_RECURSION(cx, onerror)                                       \
     JS_BEGIN_MACRO                                                            \
         int stackDummy_;                                                      \
new file mode 100644
--- /dev/null
+++ b/js/src/xpconnect/crashtests/582649.html
@@ -0,0 +1,12 @@
+<html>
+<head>
+	<title>Testcase for bug 582649</title>
+</head>
+<body>
+<script>
+var foo = [];
+foo[0] = foo;
+document.body.setUserData("foo", foo, null);
+</script>
+</body>
+</html>
--- a/js/src/xpconnect/crashtests/crashtests.list
+++ b/js/src/xpconnect/crashtests/crashtests.list
@@ -14,8 +14,9 @@ load 418139-1.svg
 load 420513-1.html
 load 453935-1.html
 load 462926.html
 load 468552-1.html
 load 471366-1.html
 load 475185-1.html
 load 475291-1.html
 load 503286-1.html
+load 582649.html
--- a/js/src/xpconnect/src/xpcvariant.cpp
+++ b/js/src/xpconnect/src/xpcvariant.cpp
@@ -291,16 +291,18 @@ XPCArrayHomogenizer::GetTypeForArray(XPC
             NS_ERROR("bad state");
             return JS_FALSE;
     }
     return JS_TRUE;
 }
 
 JSBool XPCVariant::InitializeData(XPCCallContext& ccx)
 {
+    JS_CHECK_RECURSION(ccx.GetJSContext(), return JS_FALSE);
+
     if(JSVAL_IS_INT(mJSVal))
         return NS_SUCCEEDED(nsVariant::SetFromInt32(&mData, 
                                                    JSVAL_TO_INT(mJSVal)));
     if(JSVAL_IS_DOUBLE(mJSVal))
         return NS_SUCCEEDED(nsVariant::SetFromDouble(&mData, 
                                                      *JSVAL_TO_DOUBLE(mJSVal)));
     if(JSVAL_IS_BOOLEAN(mJSVal))
         return NS_SUCCEEDED(nsVariant::SetFromBool(&mData,