Reviewed by Geoff.
- fix http://bugs.webkit.org/show_bug.cgi?id=15618
<rdar://problem/
5619353> REGRESSION: Stack overflow/crash in KJS::equal (15618)
Test: fast/js/recursion-limit-equal.html
* kjs/operations.cpp: (KJS::equal): Check the exception from toPrimitive.
LayoutTests:
Reviewed by Geoff.
- test for http://bugs.webkit.org/show_bug.cgi?id=15618
<rdar://problem/
5619353> REGRESSION: Stack overflow/crash in KJS::equal (15618)
* fast/js/recursion-limit-equal-expected.txt: Added.
* fast/js/recursion-limit-equal.html: Added.
* fast/js/resources/recursion-limit-equal.js: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28370
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-12-03 Darin Adler <darin@apple.com>
+
+ Reviewed by Geoff.
+
+ - fix http://bugs.webkit.org/show_bug.cgi?id=15618
+ <rdar://problem/5619353> REGRESSION: Stack overflow/crash in KJS::equal (15618)
+
+ Test: fast/js/recursion-limit-equal.html
+
+ * kjs/operations.cpp: (KJS::equal): Check the exception from toPrimitive.
+
2007-12-03 Dan Bernstein <mitz@apple.com>
- fix a copy-and-paste-o
t1 = NumberType;
// use toNumber
else {
- if ((t1 == StringType || t1 == NumberType) && t2 >= ObjectType)
- return equal(exec, v1, v2->toPrimitive(exec));
+ if ((t1 == StringType || t1 == NumberType) && t2 == ObjectType) {
+ v2 = v2->toPrimitive(exec);
+ if (exec->hadException())
+ return false;
+ return equal(exec, v1, v2);
+ }
if (t1 == NullType && t2 == ObjectType)
return static_cast<JSObject *>(v2)->masqueradeAsUndefined();
- if (t1 >= ObjectType && (t2 == StringType || t2 == NumberType))
- return equal(exec, v1->toPrimitive(exec), v2);
+ if (t1 == ObjectType && (t2 == StringType || t2 == NumberType)) {
+ v1 = v1->toPrimitive(exec);
+ if (exec->hadException())
+ return false;
+ return equal(exec, v1, v2);
+ }
if (t1 == ObjectType && t2 == NullType)
return static_cast<JSObject *>(v1)->masqueradeAsUndefined();
if (t1 != t2)
+2007-12-03 Darin Adler <darin@apple.com>
+
+ Reviewed by Geoff.
+
+ - test for http://bugs.webkit.org/show_bug.cgi?id=15618
+ <rdar://problem/5619353> REGRESSION: Stack overflow/crash in KJS::equal (15618)
+
+ * fast/js/recursion-limit-equal-expected.txt: Added.
+ * fast/js/recursion-limit-equal.html: Added.
+ * fast/js/resources/recursion-limit-equal.js: Added.
+
2007-12-03 Dan Bernstein <mitz@apple.com>
Reviewed by Darin Adler.
--- /dev/null
+CONSOLE MESSAGE: line 9: RangeError: Maximum call stack size exceeded.
+Tests hitting the recursion limit with equality comparisons. At one point this crashed due to lack of exception checking inside the engine.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+If the test did not crash, it has passed.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/recursion-limit-equal.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+description('Tests hitting the recursion limit with equality comparisons. At one point this crashed due to lack of exception checking inside the engine.');
+
+ch = 0;
+
+var successfullyParsed = true;
+
+function test()
+{
+ if (ch == 0)
+ ch = document.getElementsByTagName('html');
+ test();
+}
+
+debug('If the test did not crash, it has passed.');
+debug('');
+
+test();
git://git.webkit.org / WebKit-https.git / commitdiff