Subj : SpiderMonkey (1.5 pr 6a) Stack Overflow
To   : netscape.public.mozilla.jseng
From : Rob Swindell
Date : Wed Apr 13 2005 09:27 pm

I have a script (an IRC server, so it's rather large and complex) which
occassionally causes a stack overflow condition in the JS engine (on both
Win32 and *nix platforms).

When the exception/segfault occurs, the stack trace is always the same.

Here is an example (from an msvc6/win32 build):

js_LookupPropertyWithFlags(JSContext * 0x00a31f58, JSObject * 0x015b30f0,
long 0x00a3bb38, unsigned int 0x00000000, JSObject * * 0x00033238,
JSProperty * * 0x00033234) line 2423 + 9 bytes
js_LookupProperty(JSContext * 0x00a31f58, JSObject * 0x015b30f0, long
0x00a3bb38, JSObject * * 0x00033238, JSProperty * * 0x00033234) line 2417 +
27 bytes
js_GetProperty(JSContext * 0x00a31f58, JSObject * 0x015b30f0, long
0x00a3bb38, long * 0x000332a4) line 2699 + 25 bytes
js_TryMethod(JSContext * 0x00a31f58, JSObject * 0x015b30f0, JSAtom *
0x00a3bb38, unsigned int 0x00000001, long * 0x00033318, long * 0x00033450)
line 3723 + 27 bytes
js_TryValueOf(JSContext * 0x00a31f58, JSObject * 0x015b30f0, int 0x00000001,
long * 0x00033450) line 3702 + 36 bytes
array_convert(JSContext * 0x00a31f58, JSObject * 0x015b30f0, int 0x00000001,
long * 0x00033450) line 312 + 21 bytes
js_DefaultValue(JSContext * 0x00a31f58, JSObject * 0x015b30f0, int
0x00000001, long * 0x000334d0) line 3163 + 298 bytes
js_ValueToObject(JSContext * 0x00a31f58, long 0x015b30f0, JSObject * *
0x00034454) line 3654 + 25 bytes
js_Interpret(JSContext * 0x00a31f58, unsigned char * 0x01258eca, long *
0x000345a0) line 2176 + 20 bytes
js_Invoke(JSContext * 0x00a31f58, unsigned int 0x00000003, unsigned int
0x00000000) line 1313 + 22 bytes
js_Interpret(JSContext * 0x00a31f58, unsigned char * 0x01258f3e, long *
0x000356f0) line 3566 + 15 bytes
js_Invoke(JSContext * 0x00a31f58, unsigned int 0x00000003, unsigned int
0x00000000) line 1313 + 22 bytes

.... (the above 2 calls are repeated *hundreds* of times) ...

js_Interpret(JSContext * 0x00a31f58, unsigned char * 0x01258f3e, long *
0x0012e4d0) line 3566 + 15 bytes
js_Invoke(JSContext * 0x00a31f58, unsigned int 0x00000002, unsigned int
0x00000000) line 1313 + 22 bytes
js_Interpret(JSContext * 0x00a31f58, unsigned char * 0x015c8f08, long *
0x0012f594) line 3566 + 15 bytes
js_Execute(JSContext * 0x00a31f58, JSObject * 0x00a383a8, JSScript *
0x0167ba00, JSStackFrame * 0x00000000, unsigned int 0x00000000, long *
0x0012f6b0) line 1523 + 19 bytes
JS_ExecuteScript(JSContext * 0x00a31f58, JSObject * 0x00a383a8, JSScript *
0x0167ba00, long * 0x0012f6b0) line 3630 + 25 bytes
js_exec(const char * 0x00a50c21, char * * 0x00a50bd4) line 696 + 35 bytes
main(int 0x0000000a, char * * 0x00a50bb0, char * * 0x00a50c58) line 946 + 25
bytes
mainCRTStartup() line 206 + 25 bytes
KERNEL32! 7c59893d()

I hypothesized that this was some kind of recursive object/property
recursion bug in the script, but when I try to intentionally reproduce it
with a test script, I always get the (expected) JS recursion exception.

Anyone have any clue what's actually happening here?

Thanks,

-Rob

.