Bug 779215 - CallJS(Native|PropertyOp|PropertyOpSetter) should JS_CHECK_RECURSION, r=dmandelin

2012-07-31 11:58:33 -07:00 · 2012-07-31 11:58:33 -07:00 · 9bdab548c9
--- a/js/src/jit-test/tests/basic/testOverRecursed1.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed1.js
@ -0,0 +1,6 @@
+// |jit-test| error:InternalError
+
+var a = [];
+var f = a.forEach.bind(a);
+a.push(f);
+f(f);
--- a/js/src/jit-test/tests/basic/testOverRecursed2.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed2.js
@ -0,0 +1,7 @@
+// |jit-test| error:InternalError
+
+var a = [];
+var sort = a.sort.bind(a);
+a.push(sort);
+a.push(sort);
+sort(sort);
--- a/js/src/jit-test/tests/basic/testOverRecursed3.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed3.js
@ -0,0 +1,6 @@
+// |jit-test| error:InternalError
+
+x = [];
+x.push(x);
+x.toString = x.sort;
+x.toString();
--- a/js/src/jit-test/tests/basic/testOverRecursed4.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed4.js
@ -0,0 +1,9 @@
+function tryItOut(code) {
+    f = eval("(function(){" + code + "})")
+    try {
+        f()
+    } catch (e) {}
+}
+tryItOut("x=7");
+tryItOut("\"use strict\";for(d in[x=arguments]){}");
+tryItOut("for(v in((Object.seal)(x)));x.length=Function")
--- a/js/src/jit-test/tests/basic/testOverRecursed5.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed5.js
@ -0,0 +1,13 @@
+JSON.__proto__[1] = Uint8ClampedArray().buffer
+f = (function() {
+    function g(c) {
+        Object.freeze(c).__proto__ = c
+    }
+    for each(b in []) {
+        try {
+            g(b)
+        } catch (e) {}
+    }
+})
+f()
+f()
--- a/js/src/jit-test/tests/basic/testOverRecursed6.js
+++ b/js/src/jit-test/tests/basic/testOverRecursed6.js
@ -0,0 +1,3 @@
+// |jit-test| error:InternalError
+
+"" + {toString: Date.prototype.toJSON};
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@ -380,6 +380,8 @@ STATIC_PRECONDITION_ASSUME(ubound(args.argv_) >= argc)
 JS_ALWAYS_INLINE bool
 CallJSNative(JSContext *cx, Native native, const CallArgs &args)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
 #ifdef DEBUG
    bool alreadyThrowing = cx->isExceptionPending();
 #endif
@ -448,6 +450,8 @@ CallJSNativeConstructor(JSContext *cx, Native native, const CallArgs &args)
 JS_ALWAYS_INLINE bool
 CallJSPropertyOp(JSContext *cx, PropertyOp op, HandleObject receiver, HandleId id, MutableHandleValue vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
    assertSameCompartment(cx, receiver, id, vp);
    JSBool ok = op(cx, receiver, id, vp);
    if (ok)
@ -459,6 +463,8 @@ JS_ALWAYS_INLINE bool
 CallJSPropertyOpSetter(JSContext *cx, StrictPropertyOp op, HandleObject obj, HandleId id,
                       JSBool strict, MutableHandleValue vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
    assertSameCompartment(cx, obj, id, vp);
    return op(cx, obj, id, strict, vp);
 }
--- a/js/src/jsxml.cpp
+++ b/js/src/jsxml.cpp
@ -5045,6 +5045,8 @@ xml_toString_helper(JSContext *cx, JSXML *xml);
 JSBool
 xml_convert(JSContext *cx, HandleObject obj, JSType hint, MutableHandleValue rval)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
    JS_ASSERT(hint == JSTYPE_NUMBER || hint == JSTYPE_STRING || hint == JSTYPE_VOID);
    JS_ASSERT(obj->isXML());