[Webkit-unassigned] [Bug 117119] New: infinite recursion in JSC::Bindings::convertValueToQVariant
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jun 1 23:36:36 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=117119
Summary: infinite recursion in
JSC::Bindings::convertValueToQVariant
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebKit Qt
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: djc at djc.id.au
Running the following minimal reproducer against QtWebKit 5.0.2 causes infinite recursion in JSC::Bindings::convertValueToQVariant.
int main(int argc, char *argv[]) {
QApplication app(argc, argv);
QWebPage page;
page.mainFrame()->evaluateJavaScript(
"One = function (other) { this.other = other; };"
"Two = function () { };"
"Two.prototype.breakage = function () {"
" var one = new One(this);"
" this.x = [one];"
" return one;"
"};"
"new Two().breakage();"
);
return 0;
}
The stack trace from gdb looks like this:
#0 JSC::JSObject::getOwnNonIndexPropertyNames (object=0x7fffd018ff40, exec=0x7fffd022f388, propertyNames=..., mode=
JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1514
#1 0x00007ffff70e63f5 in JSC::JSObject::getOwnPropertyNames (object=0x7fffd018ff40, exec=0x7fffd022f388, propertyNames=
..., mode=JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1510
#2 0x00007ffff70dd152 in JSC::JSObject::getPropertyNames (object=<optimized out>, exec=0x7fffd022f388, propertyNames=...,
mode=JSC::ExcludeDontEnumProperties) at runtime/JSObject.cpp:1437
#3 0x00007ffff6e72d41 in JSObjectCopyPropertyNames (ctx=0x7fffd022f388, object=0x7fffd018ff40) at API/JSObjectRef.cpp:510
#4 0x00007ffff60137a5 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#5 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#6 0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#7 0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
#8 0x00007ffff60131d4 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#9 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#10 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#11 0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#12 0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
[...]
#37962 0x00007ffff6016cfb in JSC::Bindings::convertToList<QVariant> () from /lib64/libQt5WebKit.so.5
#37963 0x00007ffff60131d4 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37964 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37965 0x00007ffff6013877 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37966 0x00007ffff6014327 in JSC::Bindings::convertValueToQVariant () from /lib64/libQt5WebKit.so.5
#37967 0x00007ffff5ddbfa0 in QWebFrameAdapter::evaluateJavaScript () from /lib64/libQt5WebKit.so.5
#37968 0x00007ffff7bbbf3d in QWebFrame::evaluateJavaScript () from /lib64/libQt5WebKitWidgets.so.5
#37969 0x0000000000400aa7 in main (argc=1, argv=<optimized out>) at test.cpp:18
The actual code that triggered this was Jasmine used by the PhantomJS test suite. It sets up a cyclic relationship between its Env and Suite objects through an array property, like the minimal reproducer above.
As a wild guess (I don't understand WebKit very well) this seems like it could be related to bug 104135.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list