Bug 657585 - Guard against runaway recursion converting |this| to string in all the String.prototype.* methods. r=luke

--HG--
extra : rebase_source : 76642de53803bfdbc3b4d02e83f1d0e5713bd206

js/src/jsstr.cpp

@@ -766,6 +766,8 @@ Class js_StringClass = {
 static JS_ALWAYS_INLINE JSString *
 ThisToStringForStringProto(JSContext *cx, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return NULL);
+
     if (vp[1].isString())
         return vp[1].toString();
 

js/src/tests/ecma_5/extensions/String-methods-infinite-recursion.js

@@ -0,0 +1,36 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+//-----------------------------------------------------------------------------
+var BUGNUMBER = 657585;
+var summary =
+  'Guard against infinite recursion when converting |this| to string for the ' +
+  'String.prototype.* methods';
+
+print(BUGNUMBER + ": " + summary);
+
+/**************
+ * BEGIN TEST *
+ **************/
+
+try
+{
+  var obj = {};
+  obj.toString = String.prototype.charAt;
+  "" + obj;
+  throw new Error("should have thrown");
+}
+catch (e)
+{
+  assertEq(e instanceof InternalError, true,
+           "should have thrown InternalError for over-recursion, got: " + e);
+}
+
+/******************************************************************************/
+
+if (typeof reportCompare === "function")
+  reportCompare(true, true);
+
+print("All tests passed!");

js/src/tests/ecma_5/extensions/jstests.list

@@ -24,6 +24,7 @@ script regress-bug629723.js
 script strict-function-statements.js
 script strict-option-redeclared-parameter.js
 script string-literal-getter-setter-decompilation.js
+script String-methods-infinite-recursion.js
 script toLocaleString-infinite-recursion.js
 script toSource-infinite-recursion.js
 script uneval-strict-functions.js