diff --git a/js/src/jit-test/tests/basic/testOverRecursed1.js b/js/src/jit-test/tests/basic/testOverRecursed1.js new file mode 100644 index 000000000000..d44da136c272 --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed1.js @@ -0,0 +1,6 @@ +// |jit-test| error:InternalError + +var a = []; +var f = a.forEach.bind(a); +a.push(f); +f(f); diff --git a/js/src/jit-test/tests/basic/testOverRecursed2.js b/js/src/jit-test/tests/basic/testOverRecursed2.js new file mode 100644 index 000000000000..bcd59d8b2eb0 --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed2.js @@ -0,0 +1,7 @@ +// |jit-test| error:InternalError + +var a = []; +var sort = a.sort.bind(a); +a.push(sort); +a.push(sort); +sort(sort); diff --git a/js/src/jit-test/tests/basic/testOverRecursed3.js b/js/src/jit-test/tests/basic/testOverRecursed3.js new file mode 100644 index 000000000000..ac6f16e28a80 --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed3.js @@ -0,0 +1,6 @@ +// |jit-test| error:InternalError + +x = []; +x.push(x); +x.toString = x.sort; +x.toString(); diff --git a/js/src/jit-test/tests/basic/testOverRecursed4.js b/js/src/jit-test/tests/basic/testOverRecursed4.js new file mode 100644 index 000000000000..e29d4bf7d80e --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed4.js @@ -0,0 +1,9 @@ +function tryItOut(code) { + f = eval("(function(){" + code + "})") + try { + f() + } catch (e) {} +} +tryItOut("x=7"); +tryItOut("\"use strict\";for(d in[x=arguments]){}"); +tryItOut("for(v in((Object.seal)(x)));x.length=Function") diff --git a/js/src/jit-test/tests/basic/testOverRecursed5.js b/js/src/jit-test/tests/basic/testOverRecursed5.js new file mode 100644 index 000000000000..f7029392ebc8 --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed5.js @@ -0,0 +1,13 @@ +JSON.__proto__[1] = Uint8ClampedArray().buffer +f = (function() { + function g(c) { + Object.freeze(c).__proto__ = c + } + for each(b in []) { + try { + g(b) + } catch (e) {} + } +}) +f() +f() diff --git a/js/src/jit-test/tests/basic/testOverRecursed6.js b/js/src/jit-test/tests/basic/testOverRecursed6.js new file mode 100644 index 000000000000..7c30bc7b6105 --- /dev/null +++ b/js/src/jit-test/tests/basic/testOverRecursed6.js @@ -0,0 +1,3 @@ +// |jit-test| error:InternalError + +"" + {toString: Date.prototype.toJSON}; diff --git a/js/src/jscntxtinlines.h b/js/src/jscntxtinlines.h index 955f2e7ae323..56690ebeaee6 100644 --- a/js/src/jscntxtinlines.h +++ b/js/src/jscntxtinlines.h @@ -380,6 +380,8 @@ STATIC_PRECONDITION_ASSUME(ubound(args.argv_) >= argc) JS_ALWAYS_INLINE bool CallJSNative(JSContext *cx, Native native, const CallArgs &args) { + JS_CHECK_RECURSION(cx, return false); + #ifdef DEBUG bool alreadyThrowing = cx->isExceptionPending(); #endif @@ -448,6 +450,8 @@ CallJSNativeConstructor(JSContext *cx, Native native, const CallArgs &args) JS_ALWAYS_INLINE bool CallJSPropertyOp(JSContext *cx, PropertyOp op, HandleObject receiver, HandleId id, MutableHandleValue vp) { + JS_CHECK_RECURSION(cx, return false); + assertSameCompartment(cx, receiver, id, vp); JSBool ok = op(cx, receiver, id, vp); if (ok) @@ -459,6 +463,8 @@ JS_ALWAYS_INLINE bool CallJSPropertyOpSetter(JSContext *cx, StrictPropertyOp op, HandleObject obj, HandleId id, JSBool strict, MutableHandleValue vp) { + JS_CHECK_RECURSION(cx, return false); + assertSameCompartment(cx, obj, id, vp); return op(cx, obj, id, strict, vp); } diff --git a/js/src/jsxml.cpp b/js/src/jsxml.cpp index a70caaa80f4b..1a61d83e7418 100644 --- a/js/src/jsxml.cpp +++ b/js/src/jsxml.cpp @@ -5045,6 +5045,8 @@ xml_toString_helper(JSContext *cx, JSXML *xml); JSBool xml_convert(JSContext *cx, HandleObject obj, JSType hint, MutableHandleValue rval) { + JS_CHECK_RECURSION(cx, return false); + JS_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING || hint == JSTYPE_VOID); JS_ASSERT(obj->isXML());