Created attachment 585941 [details] stack x = ; x.push(x); x.toString = x.sort; x.toString(); crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion. Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little. Bug 684462 might be related. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 67921:0906d9490eaf user: Jeff Walden date: Mon Mar 28 20:01:53 2011 -0700 summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Crash Signature: [@ IsPoisonedId] [@ js::array_sort]
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Assignee: general → jwalden+bmo
Whiteboard: js-triage-needed → [sg:dos] js-triage-needed
Yeah, this is just recursion.
Whiteboard: [sg:dos] js-triage-needed → [sg:dos] js-triage-done
> See bug 717497, bug 721935 and bug 728722 for other possibly-related > too-much-recursion crashes. May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301. They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] → Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack → Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)
Whiteboard: [sg:dos] js-triage-done → [sg:dos][fuzzblocker:js-recursion] js-triage-done
Whiteboard: [sg:dos][fuzzblocker:js-recursion] js-triage-done → [js:p1][sg:dos][fuzzblocker:js-recursion]
Whiteboard: [js:p1][sg:dos][fuzzblocker:js-recursion] → [js:p1:fx17][sg:dos][fuzzblocker:js-recursion]
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED
Assignee: jwalden+bmo → general
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.