Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p1:fx17][sg:dos][fuzzblocker:js-recursion], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 585941 [details]
stack

x = [];
x.push(x);
x.toString = x.sort;
x.toString();

crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion.

Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little.

Bug 684462 might be related.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   67921:0906d9490eaf
user:        Jeff Walden
date:        Mon Mar 28 20:01:53 2011 -0700
summary:     Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited.  r=luke
(Reporter)

Updated

6 years ago
Crash Signature: [@ IsPoisonedId] [@ js::array_sort]
(Reporter)

Updated

6 years ago
Blocks: 349611
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Assignee: general → jwalden+bmo
Whiteboard: js-triage-needed → [sg:dos] js-triage-needed
(Reporter)

Updated

6 years ago
OS: Mac OS X → All
Hardware: x86 → All
Yeah, this is just recursion.
Group: core-security
Whiteboard: [sg:dos] js-triage-needed → [sg:dos] js-triage-done
(Reporter)

Comment 3

6 years ago
See bug 717497, bug 721935 and bug 728722 for other possibly-related too-much-recursion crashes.
(Reporter)

Comment 4

5 years ago
> See bug 717497, bug 721935 and bug 728722 for other possibly-related
> too-much-recursion crashes.

May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301.

They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] → Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack

Updated

5 years ago
Summary: Crash [@ IsPoisonedId] or [@ js::array_sort] with js::Invoke or js::DefaultValue on the stack → Too-much-recursion crash (js::Invoke, js::DefaultValue, js::array_sort)
Whiteboard: [sg:dos] js-triage-done → [sg:dos][fuzzblocker:js-recursion] js-triage-done
Whiteboard: [sg:dos][fuzzblocker:js-recursion] js-triage-done → [js:p1][sg:dos][fuzzblocker:js-recursion]
Whiteboard: [js:p1][sg:dos][fuzzblocker:js-recursion] → [js:p1:fx17][sg:dos][fuzzblocker:js-recursion]
(Reporter)

Comment 5

5 years ago
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED
Assignee: jwalden+bmo → general
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.