js> a = <a/>; a.function::__proto__ = null; "" + a; Stack overflow: ... 488 js 0x0001a5fe JS_CallFunctionName + 163 (jsapi.c:4356) 489 js 0x000d7a2c xml_defaultValue + 157 (jsxml.c:5240) 490 js 0x000c49b0 js_ValueToString + 98 (jsstr.c:2656) 491 js 0x000d7ee0 xml_getMethod + 453 (jsxml.c:5385) 492 js 0x0001a5fe JS_CallFunctionName + 163 (jsapi.c:4356) ...

The patch for bug 373082 fixes this since with it after a.function::__proto__ = null ToString(a) is equivalent to String.prototype.toString.call(a). And that throws an exception since String.prototype.toString can only be applied to strings.

With the bug 373082 fixed the behavior is now very reasonable: ~/m/trunk/mozilla/js/src $ cat ~/s/y.js try { a = <a/>; a.function::__proto__ = null; "" + a; throw "UNREACHABLE"; } catch (e) { if (!(e instanceof TypeError)) throw "Unexpected exception: "+uneval(e); print("Expected exception:"+uneval(e)) } print("OK"); ~/m/trunk/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/s/y.js Expected exception:(new TypeError("String.prototype.toString called on incompatible XML", "/home/igor/s/y.js", 2)) OK

/cvsroot/mozilla/js/tests/e4x/extensions/regress-374163.js,v <-- regress-374163.js initial revision: 1.1

verified fixed linux, windows, mac* shell 20070406

Fixed om 1.8.1 with the patch for bug 373082 landed

Fixed on 1.8.0 with the patch for bug 373082 landed

verified fixed windows, macppc, linux 20070417 1.8.0, 1.8.1 shell