Comment #4 on issue 2095 by [email protected]: stack corruption with
latest v8 Versions
http://code.google.com/p/v8/issues/detail?id=2095
In external script http://m.news.naver.com/js/jindo.custom.js?20120419194854
tpl=eval("false||function(d){"+_aStr.join("")+"}");
tpl=tpl(data);
The above functions are used to update the comments
In the eval the functions are provided dynamically
The crash is not seen for the first 2 evaluation of eval scripts
the crash script is happenoing for the following script:-->
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
function(d) {
var s = [], i = 0;
function isArray(o) {
return Object.prototype.toString.call(o) == "[object Array]"
}
;
s[i++] = "<ul class=\"cmt_lst\"> ";
var t0 = d.list || {}, p0 = isArray(t0), i0 = 0;
for (var x0 in t0) {
if (!t0.hasOwnProperty(x0)) {
continue;
}
if ((p0 && isNaN(i0 = parseInt(x0, 10))) || (!p0
&& !t0.propertyIsEnumerable(x0)))
continue;
d.item = t0[x0];
s[i++] = " ";
d.isValidItem = (d.item.statusCd) == "service";
s[i++] = " ";
d.isMobile = (d.item.incomingType) == "mobile";
s[i++] = " ";
d.isMine = (d.userId) == (d.item.userId) && (d.snsType) ==
(d.item.snsType);
s[i++] = " ";
d.isNotMine = !(d.isMine);
s[i++] = " ";
d.isNaver = (d.item.snsType) == "naver";
s[i++] = " ";
d.isNotNaver = !(d.isNaver);
s[i++] = " ";
d.isNaverButNotMine = (d.isNaver) && (d.isNotMine);
s[i++] = " ";
d.isTwitter = (d.item.snsType) == "twitter";
s[i++] = " ";
d.isMe2day = (d.item.snsType) == "me2day";
s[i++] = " <li id=\"scmt-item-";
s[i++] = d.item.commentReplyNo;
s[i++] = "\" class=\"";
if (d.isMine) {
s[i++] = "my_post";
}
;
s[i++] = "\"> ";
if (d.isNotNaver) {
s[i++] = " <span class=\"sns ";
s[i++] = d.item.snsType;
s[i++] = "\">";
s[i++] = d.item.snsType;
s[i++] = "</span> ";
}
;
s[i++] = " <a class=\"name _nclicks(rpl.prf)\">";
if (d.isNaverButNotMine) {
s[i++] = d.item.maskUserId;
} else {
s[i++] = d.item.userNickname;
}
;
s[i++] = "</a> ";
if (d.isValidItem) {
s[i++] = " <p>";
s[i++] = jindo.$S(d.item.content).escapeHTML();
s[i++] = "</p> <div class=\"func\"> <span class=\"time\">";
s[i++] = d.item.sRegDate;
s[i++] = "</span> ";
if (d.isMobile) {
s[i++] = " <span class=\"mobile\">????? ??</span> ";
}
;
s[i++] = " ";
if (d.isNotMine) {
s[i++] = " | <a href=\"#\" class=\"action
_scmt_item(report,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ") _nclicks(rpl.report)\">??</a> ";
if (d.isTwitter) {
s[i++] = " | <a href=\"#\" class=\"retweet
_scmt_item(retweet,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ",snsPostId,";
s[i++] = d.item.snsPostId;
s[i++] = ") _nclicks(rpl.rtw)\">???</a> ";
}
;
s[i++] = " ";
if (d.isMe2day) {
s[i++] = " | <a href=\"#\" class=\"me2
_scmt_item(me2,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ",snsPostId,";
s[i++] = d.item.snsPostId;
s[i++] = ") _nclicks(rpl.me2)\">??</a> ";
}
;
s[i++] = " ";
}
;
s[i++] = " </div> <div class=\"btn_area2\"> <div>
<a href=\"#\" class=\"sc_btn _scmt_item(reply,parentCommentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ") _nclicks(rpl.reply)\">?? <strong>";
s[i++] = d.item.replyCount;
s[i++] = "</strong></a> ";
if (d.isMine) {
s[i++] = " <a href=\"#\" class=\"sc_btn
_scmt_item(delete,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ") _nclicks(rpl.del)\">??</a> ";
}
;
s[i++] = " </div> <div> <a href=\"#\"
id=\"scmt-good-comment-";
s[i++] = d.item.commentReplyNo;
s[i++] = "\" class=\"sc_btn recomm _scmt_item(good,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ") _nclicks(rpl.sym)\">";
s[i++] = d.item.goodCount;
s[i++] = "</a> <a href=\"#\" id=\"scmt-bad-comment-";
s[i++] = d.item.commentReplyNo;
s[i++] = "\" class=\"sc_btn recomm2 _scmt_item(bad,commentNo,";
s[i++] = d.item.commentReplyNo;
s[i++] = ") _nclicks(rpl.opp)\">";
s[i++] = d.item.badCount;
s[i++] = "</a> </div> </div> ";
} else {
s[i++] = " <p>";
s[i++] = d.item.statusModReason;
s[i++] = "</p> ";
}
;
s[i++] = " </li> ";
delete d.item;
}
;
s[i++] = " </ul>";
return s.join("");
}
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Can anyone please provide some pointers as to why this crash happens..
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
