813646 - Internals should have a higher stack limit than script recursion

Status: RESOLVED DUPLICATE of bug 732665

(Core :: JavaScript Engine, enhancement)

Description

[Jesse Ruderman]

My "nearNativeStackLimit" gadget keeps finding bugs where JS_CHECK_RECURSION trips in the middle of some complex operation (like document.write) and it doesn't unwind properly.

https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL+su%3AnearNativeStackLimit

Maybe we could prevent this problem by enforcing a tighter limit on script recursion (especially "eval") than on the things that happen in the middle of document.write.  [And maybe the latter could be elided or made fatal, rather than trying to recover.]

cf bug 732665, bug 735082

Comment 1

[Andrew McCreight [:mccr8]]

That's an interesting idea. It would be like having "stack limit ballast".

Comment 2

[Andrew McCreight [:mccr8]]

Bug 776497 is an example of a real-world top crash related to this.

Comment 3

[Jesse Ruderman]

Fixing this would remove a large amount of buggy, hard-to-test attack surface.

Comment 4

[Jesse Ruderman]

I've seen some scary assertions about inner and outer windows that seem to trace back to this bug.

Comment 5

[Bobby Holley (:bholley)]

I did this in bug 732665.

Comment 6

[Jesse Ruderman]

Hmm, that is true! Then why am I still hitting hard-to-reduce bugs with too-much-recursion? Is it likely that some recursion checks are misclassified? Is fixing bug 735081 / bug 735082 the only way to find out?

Comment 7

[Bobby Holley (:bholley)]

(In reply to Jesse Ruderman from comment #6)
> Hmm, that is true! Then why am I still hitting hard-to-reduce bugs with
> too-much-recursion?

Do you have an example of such a bug? If you have one that's reproducible, I could take a look at some point (though right now I'm pretty swamped).

Comment 8

[Jesse Ruderman]

Bug 1006876 is a recent example, although decoder seems to have had more luck with reproducibility than I usually have.