Created attachment 585941 [details]
x = ;
x.toString = x.sort;
crashes js debug and opt shell on m-c changeset 44d992ccc97a without any CLI arguments at IsPoisonedId or js::array_sort with too much recursion.
Too much recursion crash, usually not security-sensitive, but IsPoisonedId freaks me out just a little.
Bug 684462 might be related.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
user: Jeff Walden
date: Mon Mar 28 20:01:53 2011 -0700
summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Looks like a recursion DoS? If you agree, Jeff, we can unhide this bug. If not please change [sg:dos] to something more appropriate
Yeah, this is just recursion.
See bug 717497, bug 721935 and bug 728722 for other possibly-related too-much-recursion crashes.
> See bug 717497, bug 721935 and bug 728722 for other possibly-related
> too-much-recursion crashes.
May I please convince someone (if Waldo is too busy) to fix these too-much-recursion dos crashes? (also see bug 671797, bug 684462 and bug 743301.
They are producing so many duplicates that we have to ignore js::Invoke on the crash reports, and js::Invoke seems to be a pretty commonly used function that ignoring it may hide other bugs.
Fix and test landed in bug 779215. -> RESOLVED / VERIFIED FIXED